[31702] in Kerberos
Re: GSSAPI / Kerberos ticket authentication issues
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Nov 16 16:35:15 2009
From: Greg Hudson <ghudson@mit.edu>
To: "Broekman, Maarten" <Maarten.Broekman@fmr.com>
In-Reply-To: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM>
Date: Mon, 16 Nov 2009 16:34:49 -0500
Message-ID: <1258407289.24480.53.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> $ ftp -n -i hostname --> Works properly
> $ ftp -n -i hostname-alt --> Doesn't work.
I believe this is a consequence of how ftpd uses GSSAPI. It's using
gss_acquire_cred to get credentials for ftp@localhostname and
host@localhostname, instead of just passing the default to
gss_accept_sec_context, which would make it work for any key in the
keytab.
I don't see any good opportunities for workarounds without patching and
recompiling gssftpd. The local hostname is determined by calling
gethostbyname() on the result of gethostname(), so you can typically
influence which hostname is picked by fiddling with /etc/hosts, but you
can't make it try multiple hostnames.
I'll bring this up on the dev list and see about getting it fixed for a
future release. If you do want to patch and rebuild to work around
this, I can probably come up with a provisional patch for you in short
order.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
