[31704] in Kerberos
RE: GSSAPI / Kerberos ticket authentication issues
daemon@ATHENA.MIT.EDU (Broekman, Maarten)
Mon Nov 16 16:53:38 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 16 Nov 2009 16:53:03 -0500
Message-ID: <466D8503CBF08E4190ECE2D302B8C72C02C1B633@MSGBOSCLR2WIN.DMN1.FMR.COM>
From: "Broekman, Maarten" <Maarten.Broekman@fmr.com>
To: "Greg Hudson" <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Greg,
One thing I realized is that I forgot to mention is that I also
tried using the scan_interfaces and extra_addresses tags in my krb5.conf
but that didn't help. From the manpage for the krb5.conf these looked
like they might have addressed the issue. Also ssh suffers from the
same problem as gssftp so I'm guessing this is a more general issue and
not specific to gssftp.
Maarten Broekman
Fidelity | Investment Management Technology
TSO Server Architecture and Engineering
Office: (617) 563-9756
Cell: (617) 590-8005
Email: maarten.broekman@fmr.com
> -----Original Message-----
> From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
> Behalf Of Broekman, Maarten
> Sent: Monday, November 16, 2009 4:40 PM
> To: Greg Hudson
> Cc: kerberos@MIT.EDU
> Subject: RE: GSSAPI / Kerberos ticket authentication issues
>
> Thanks Greg. Getting it addressed in a future version would be
great.
> Unfortunately, I don't think I'll be able to patch and rebuild.
>
> Maarten Broekman
>
> > -----Original Message-----
> > From: Greg Hudson [mailto:ghudson@MIT.EDU]
> > Sent: Monday, November 16, 2009 4:35 PM
> > To: Broekman, Maarten
> > Cc: kerberos@mit.edu
> > Subject: Re: GSSAPI / Kerberos ticket authentication issues
> >
> > On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> > > $ ftp -n -i hostname --> Works properly
> > > $ ftp -n -i hostname-alt --> Doesn't
work.
> >
> > I believe this is a consequence of how ftpd uses GSSAPI. It's
using
> > gss_acquire_cred to get credentials for ftp@localhostname and
> > host@localhostname, instead of just passing the default to
> > gss_accept_sec_context, which would make it work for any key in
the
> > keytab.
> >
> > I don't see any good opportunities for workarounds without
patching
> and
> > recompiling gssftpd. The local hostname is determined by calling
> > gethostbyname() on the result of gethostname(), so you can
typically
> > influence which hostname is picked by fiddling with /etc/hosts,
but
> you
> > can't make it try multiple hostnames.
> >
> > I'll bring this up on the dev list and see about getting it fixed
for
> a
> > future release. If you do want to patch and rebuild to work
around
> > this, I can probably come up with a provisional patch for you in
short
> > order.
> >
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
