[31705] in Kerberos
RE: GSSAPI / Kerberos ticket authentication issues
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Nov 16 17:40:57 2009
From: Greg Hudson <ghudson@mit.edu>
To: "Broekman, Maarten" <Maarten.Broekman@fmr.com>
In-Reply-To: <466D8503CBF08E4190ECE2D302B8C72C02C1B633@MSGBOSCLR2WIN.DMN1.FMR.COM>
Date: Mon, 16 Nov 2009 17:40:31 -0500
Message-ID: <1258411231.24480.57.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2009-11-16 at 16:53 -0500, Broekman, Maarten wrote:
> Greg,
> One thing I realized is that I forgot to mention is that I also
> tried using the scan_interfaces and extra_addresses tags in my krb5.conf
> but that didn't help. From the manpage for the krb5.conf these looked
> like they might have addressed the issue.
Those settings don't pertain to this code.
> Also ssh suffers from the
> same problem as gssftp so I'm guessing this is a more general issue and
> not specific to gssftp.
Stock OpenSSH sshd has the same coding issue as ftpd, yes. If your sshd
had the gss-keyex patch, you could control this behavior with the
GSSAPIStrictAcceptorCheck config variable, but unfortunately Red Hat is
not one of the OS vendors who incorporate the gss-keyex patch.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
