"Derek R. Price" <[EMAIL PROTECTED]> writes:
> Please excuse my light grounding in Kerberos, but could you enlighten me a
> little further as to the reasons behind this and the possible repercussions?
Sure.
> What, exactly is a multi-homed server?
In this context, simply a machine running a cvs server that has
multiple interfaces.
Assume that you have a machine called 'foo.example.com' (this is the
value returned by `hostname'), that has several interfaces. These
interfaces (or really, the addresses of them) can have different names
in DNS, let us suppose there is one that has the forwards and
backwards mapping of 'foo.example.com' and one for 'bar.example.com'.
There is a kerberos realm EXAMPLE.COM.
When running a CVS client with gss-api authentication against this
server, it is equally valid to use a CVSROOT of
:gserver:foo.example.com:/bla and :gserver:bar.example.com:/bla.
Since kerberos tickets are service-specific, a client might get one
for [EMAIL PROTECTED] or for
[EMAIL PROTECTED]
With the old code, the server would always be expecting a ticket to be
for cvs/gethostname(), which obviously doesn't work if the client is
using a CVSROOT of :gserver:bar.example.com:/bla.
The way that the kerberos
authentication works is that the server will have a number of keys
stored in a file (typically /etc/krb5.keytab) and will verify that the
tickets are correct against these keys.
My patch makes the server verify that the ticket it gets is for one of
the keys stored in that file and that it's named 'cvs/'.
> Also, what is preventing me from setting up Kerberos on my own
> outside server (say, kdc.priuvate.org), using kinit to grant myself
> a token for [EMAIL PROTECTED] on my current machine (say,
> work.big.com), then using that (previously invalid) token to grant
> myself access to the local cvs server (cvs.big.com)?
That the cvs server at cvs.big.com will only accept tickets that are
for keys that are stored in /etc/krb5.keytab.
I hope this makes it clearer.
/assar
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
