Vladimir Terziev wrote:
>
> Hi All,
>
> I implement a Kerberos as authentication system. For the purpose I use MIT
>Kerberos v5, OpenSSH v3.4p1 and approriate GSSAPI patches for OpenSSH from
>http://www.sxw.org.uk/computing/patches/openssh.html .
>
> Kerbelized sshd works fine and uses Kerberos tickets for authentication when
>the machine have single interface. But I have some multihomed machines which
>participate in different domains (respectively in different Kerberos realms). Sshd on
>these machines refuses to use my Kerberos tickes for authentication. I think this is
>because GSSAPI patches for OpenSSH use hostname for forming of Kerberos principals. I
>my case, with mulultihomed machines, hostname is different from the one or more of
>the interface names of the machine.
>
> Does anybody have any idea how I can solve that nasty problem?
Yes, something like this in lib/gssapi/krb5/accept_sec_context.c. This is in the
middle of
another mod for user-to-user so the patch is not exact. The idea is to let krb5_rd_req
use any key in the keytab that matches the ticket privided by the user,
then double check that it is acceptable. in our case we where swithching realms.
*** 365,375 ****
goto fail;
}
! if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
cred->keytab, NULL, &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
krb5_auth_con_getauthenticator(context, auth_context, &authdat);
--- 639,736 ----
goto fail;
}
! if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
cred->keytab, NULL, &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
+ /*
+ * Allow for lax checking of the princ name. This will allow
+ * us to have ssh and ftp use any of the tickets in the
+ * keytab, as we change from dce.anl.gov to KRB5.ANL.GOV
+ * rlogin already allows this. We will check all but realm.
+ */
+ if ( cred->princ && ticket->server) {
+ int i;
+ int nelem;
+ nelem = krb5_princ_size(context, cred->princ);
+ if (nelem == krb5_princ_size(context,ticket->server)) {
+ for (i = 0; i < nelem; i++) {
+ register const krb5_data *p1 =
+ krb5_princ_component(context, cred->princ ,i);
+ register const krb5_data *p2 =
+ krb5_princ_component(context, ticket->server,
+i);
+ if (p1->length != p2->length ||
+ memcmp(p1->data, p2->data,
+p1->length)) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ } else {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
krb5_auth_con_getauthenticator(context, auth_context, &authdat);
>
> Regards,
>
> Vladimir
>
> ________________________________________________
> Kerberos mailing list [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
