On 25 Apr 2008, at 04:23, John Hascall wrote: > > >> If we take for example an sshd server on a typical Unix host, how >> does >> it figure out its own principal name? Suppose it has keys for >> multiple principals in the keytab, which one would it choose? > > I can't speak for how sshd does it,
I can - certainly for OpenSSH. If you're using out of the box OpenSSH, then it ties the acceptor principal to being host/fqdn, where the FQDN is the fully qualified domain name version of the machine's hostname. With my patches, turning off the GSSAPIStrictAcceptorCheck option will let it use any principal in the default keytab. SSH is a GSSAPI protocol, so this is implemented at the GSSAPI, rather than kerberos, API level (by using GSS_C_NO_CREDENTIALS for the server principal when calling accept_sec_context). It doesn't currently do the final step, of making sure that the chosen acceptors service name is 'host' - because there's no method exposed in the current GSSAPI which will let you do so in a mechanism independent manner. Simon. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
