From owner-freebsd-audit Mon Jul 16 5:18:29 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6233D37B403 for ; Mon, 16 Jul 2001 05:18:26 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from madman.nectar.com (madman.nectar.com [10.0.1.111]) by gw.nectar.com (Postfix) with ESMTP id D3CD2AF589; Mon, 16 Jul 2001 07:18:25 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.com (8.11.3/8.11.3) id f6GCIPV11087; Mon, 16 Jul 2001 07:18:25 -0500 (CDT) (envelope-from nectar) Date: Mon, 16 Jul 2001 07:18:25 -0500 From: "Jacques A. Vidrine" To: Sheldon Hearn Cc: freebsd-audit@freebsd.org Subject: Re: Add `ServerPrincipalFromSocket' option to sshd Message-ID: <20010716071825.E10944@madman.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Sheldon Hearn , freebsd-audit@freebsd.org References: <20010713153946.G67153@madman.nectar.com> <4602.995275616@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4602.995275616@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Jul 16, 2001 at 11:26:56AM +0200 X-Url: http://www.nectar.com/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 16, 2001 at 11:26:56AM +0200, Sheldon Hearn wrote: > On Fri, 13 Jul 2001 15:39:46 EST, "Jacques A. Vidrine" wrote: > > > Our sshd very annoyingly uses the hostname to form the principal it > > uses for Kerberos authentication. This is especially a problem on > > machines with multiple IP addresses. > > Interesting. You know about k5init --no-address, though, yes? Yes, but that is something entirely different. `--no-addresses' is used to obtain a TGT that has, well, no addresses. `ServerPrincipalFromSocket' is used by the server to determine which principal name to use. Maybe an example will help. Pretend we have a machine with two IP addresses which reverse map to A.COMPANY.COM and B.COMPANY.COM respectively. Pretend further that the machine's hostname (as returned by gethostname()) is A.COMPANY.COM. Then in the following table, the `ssh to' column is the hostname given to ssh (e.g. the user typed `ssh a.company.com' in the first row); the `AP-REQ' column lists the server principal name that will be in the client's AP-REQ as a result of the hostname given to ssh; the `[1]' column is the setting of `ServerPrincipalFromSocket'; the `sshd expects' is the server principal name used by sshd; and the `result' column specifies whether authentication will work or not. ssh to AP-REQ [1] sshd expects result a.company.com host/a.company.com no host/a.company.com OK b.company.com host/b.company.com no host/a.company.com fail a.company.com host/a.company.com yes host/a.company.com OK b.company.com host/b.company.com yes host/b.company.com OK As I mentioned earlier, `ServerPrincipalFromSocket yes' causes sshd to select the server principal in much the same way as telnetd and ftpd do. I hope this helps, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message