[27903] in Kerberos
Re: Kerberos for authentication, php for authorization
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Fri Jun 8 13:35:30 2007
In-Reply-To: <20070608123419.c129fba1.mba2000@ioplex.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <7572B0B3-65FE-483F-AE69-3525D0B6AFFF@sxw.org.uk>
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Fri, 8 Jun 2007 18:14:38 +0100
To: Michael B Allen <mba2000@ioplex.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 8 Jun 2007, at 17:34, Michael B Allen wrote:
> On Fri, 8 Jun 2007 09:00:09 +0100
> Simon Wilkinson <simon@sxw.org.uk> wrote:
>
>> Ultimately, this means you may need to have a keytab containing
>> multiple different prinicpals for your service, and have
>> mod_auth_kerb accept any one of these principals. Unfortunately, the
>> code isn't there to do that in current mod_auth_kerb's.
>
> This seems odd to me. The krb5 lib should automatically seek out the
> right key by searching for the desired principal, enctype and kvno.
No, that's not how it works if you specify a principal when you call
gss_accept_sec_context. When a principal is specified the library
will only accept incoming connections which are directed at that
principal.
mod_auth_kerb specifies HTTP/<gethostname()> as its acceptor
principal, unless you override that with a mod_auth_kerb
configuration directive, and even then you can only change it to use
a different, single, principal. Historically, that's the best you
could do with MIT Kerberos, unless you open the keytab, parse it to
extract principal names, and call gss_accept_sec_context with each of
them until it works.
Recent MIT libraries (for some value of recent - I'm not sure when
the code went in) allow you to pass GSS_C_NO_CREDENTIAL in to the
gss_accept_sec_context routine, so that it will accept any principal
in the keytab. I suspect that this is the behaviour you are relying
on - but mod_auth_kerb doesn't invoke the GSSAPI library in this way,
and so doesn't have that feature.
Aside: If you're using a single, general purpose, keytab you almost
certainly _don't_ want the GSS_C_NO_CREDENTIAL behaviour - you want
to be sure that your ssh service will only accept 'host/' principals,
for example.
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
