[31703] in Kerberos
RE: GSSAPI / Kerberos ticket authentication issues
daemon@ATHENA.MIT.EDU (Broekman, Maarten)
Mon Nov 16 16:40:27 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 16 Nov 2009 16:39:57 -0500
Message-ID: <466D8503CBF08E4190ECE2D302B8C72C02E96453@MSGBOSCLR2WIN.DMN1.FMR.COM>
From: "Broekman, Maarten" <Maarten.Broekman@fmr.com>
To: "Greg Hudson" <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks Greg. Getting it addressed in a future version would be great. Unfortunately, I don't think I'll be able to patch and rebuild.
Maarten Broekman
> -----Original Message-----
> From: Greg Hudson [mailto:ghudson@MIT.EDU]
> Sent: Monday, November 16, 2009 4:35 PM
> To: Broekman, Maarten
> Cc: kerberos@mit.edu
> Subject: Re: GSSAPI / Kerberos ticket authentication issues
>
> On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> > $ ftp -n -i hostname --> Works properly
> > $ ftp -n -i hostname-alt --> Doesn't work.
>
> I believe this is a consequence of how ftpd uses GSSAPI. It's using
> gss_acquire_cred to get credentials for ftp@localhostname and
> host@localhostname, instead of just passing the default to
> gss_accept_sec_context, which would make it work for any key in the
> keytab.
>
> I don't see any good opportunities for workarounds without patching and
> recompiling gssftpd. The local hostname is determined by calling
> gethostbyname() on the result of gethostname(), so you can typically
> influence which hostname is picked by fiddling with /etc/hosts, but you
> can't make it try multiple hostnames.
>
> I'll bring this up on the dev list and see about getting it fixed for a
> future release. If you do want to patch and rebuild to work around
> this, I can probably come up with a provisional patch for you in short
> order.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
