Date: Mon, 16 Jul 2001 07:18:25 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-audit@freebsd.org Subject: Re: Add `ServerPrincipalFromSocket' option to sshd Message-ID: <20010716071825.E10944@madman.nectar.com> In-Reply-To: <4602.995275616@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Jul 16, 2001 at 11:26:56AM %2B0200 References: <20010713153946.G67153@madman.nectar.com> <4602.995275616@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 16, 2001 at 11:26:56AM +0200, Sheldon Hearn wrote: > On Fri, 13 Jul 2001 15:39:46 EST, "Jacques A. Vidrine" wrote: > > > Our sshd very annoyingly uses the hostname to form the principal it > > uses for Kerberos authentication. This is especially a problem on > > machines with multiple IP addresses. > > Interesting. You know about k5init --no-address, though, yes? Yes, but that is something entirely different. `--no-addresses' is used to obtain a TGT that has, well, no addresses. `ServerPrincipalFromSocket' is used by the server to determine which principal name to use. Maybe an example will help. Pretend we have a machine with two IP addresses which reverse map to A.COMPANY.COM and B.COMPANY.COM respectively. Pretend further that the machine's hostname (as returned by gethostname()) is A.COMPANY.COM. Then in the following table, the `ssh to' column is the hostname given to ssh (e.g. the user typed `ssh a.company.com' in the first row); the `AP-REQ' column lists the server principal name that will be in the client's AP-REQ as a result of the hostname given to ssh; the `[1]' column is the setting of `ServerPrincipalFromSocket'; the `sshd expects' is the server principal name used by sshd; and the `result' column specifies whether authentication will work or not. ssh to AP-REQ [1] sshd expects result a.company.com host/a.company.com no host/a.company.com OK b.company.com host/b.company.com no host/a.company.com fail a.company.com host/a.company.com yes host/a.company.com OK b.company.com host/b.company.com yes host/b.company.com OK As I mentioned earlier, `ServerPrincipalFromSocket yes' causes sshd to select the server principal in much the same way as telnetd and ftpd do. I hope this helps, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010716071825.E10944>