The recent addition of auth_gssapi_hostname is a welcome addition, but a little
more is needed
for multi-homed (or multi-domained) sites.
SSH recently added this enhancement to address this common need:
GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI
acceptor a client authenticates
against. If “yes” then the client must authenticate against the
host service on the current hostname.
If “no” then the client may authenticate against any service key
stored in the machine’s default
store. This facility is provided to assist with operation on multi
homed machines. The default is
“yes”. Note that this option applies only to protocol version 2
GSSAPI connections, and setting it
to “no” may only work with recent Kerberos GSSAPI libraries.
I've heard that other daemons support multi-names by instead of using
gethostname(), obtain the hostname of the
interface that the request came in on.
Can either approach be looked at for dovecot ?
Thanks,
--
Richard A Nelson (Rick) cowboy@((linux.)?vnet|us).ibm.com
Phone: 1-408-463-5584 Fax: 1-408-463-3873
COBOL Development IBM Silicon Valley Laboratory
http://www.ibm.com/software/awdtools/cobol/
