[27890] in Kerberos
Re: gssapi auth, and multihomed multinamed hosts
daemon@ATHENA.MIT.EDU (petesea@bigfoot.com)
Wed Jun 6 23:18:23 2007
Date: Wed, 06 Jun 2007 20:19:32 -0700 (Pacific Daylight Time)
From: petesea@bigfoot.com
In-reply-to: <mailman.499.1181146142.13985.kerberos@mit.edu>
To: kerberos@mit.edu
Message-id: <Pine.WNT.4.64.0706061049210.2480@oberon.home.org>
MIME-version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 6 Jun 2007, eirvine@tpg.com.au wrote:
> I have a Solaris 10 server with two ip addresses: "fixed.example.com"
> and "float.example.com". The latter is an IP address that the server
> sometimes assumes as part of its role in a high-availability cluster.
>
> I have compiled my own openssh+gssapi version of sshd, and have got
> ssh single-sign-on working fine (both windows secureCRT, a patched
> version of Putty, and also the unix openssh clients) . So far so good.
>
> It is now time to get gssapi auth to working with the
> "float.example.com" address.
>
> Can I expect to just add the keytab for "float.example.com" into
> /etc/krb5.keytab and expect everything to be OK?
You may need to set GSSAPIStrictAcceptorCheck=no in sshd_config, which I
believe is only available with the GSSAPI Key Exchange patch for OpenSSH
4.4p1 or higher.
Then, as you already mentioned, make sure the host principals for both
fixed.example.com and float.example.com are in /etc/krb5.keytab.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
