On Wed, Jan 26, 2011 at 04:16:54AM +0000, Victor Sudakov wrote: > Is there a generic way for a kerberized server to configure which > acceptor principal it will use from the keytab? Why is it so that e.g. > sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal? > Is it configured somewhere or hardcoded in the source? What if I > wanted sshd to use a "ssh/foo" principal?
AFAIK, it's a parameter to gss_acquire_cred(). You might find this patch from Russ Allbery a starting point: http://bugzilla.cyrusimap.org/show_bug.cgi?id=3380 (which passes NO_NAME, which means that any key in the keytab which is capable of decrypting the ticket is acceptable) Looking at openssh source[*], check out ssh_gssapi_acquire_cred (gss-serv.c) which calls ssh_gssapi_import_name (gss-genr.c). It looks like it's hardcoded to "host@<hostname>" which in turn is translated into host/<hostname> by GSSAPI. However, you can also see that if you turn off options.gss_strict_acceptor then it also passes NO_NAME, and hence uses any suitable keytab entry. Regards, Brian. [*] I'm looking at the source from "apt-get source openssh-server" in Ubuntu 10.10, which is openssh-5.5p1 with a lot of Debian-applied patches ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
