Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jul 2001 07:18:25 -0500
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        Sheldon Hearn <sheldonh@starjuice.net>
Cc:        freebsd-audit@freebsd.org
Subject:   Re: Add `ServerPrincipalFromSocket' option to sshd
Message-ID:  <20010716071825.E10944@madman.nectar.com>
In-Reply-To: <4602.995275616@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Jul 16, 2001 at 11:26:56AM %2B0200
References:  <20010713153946.G67153@madman.nectar.com> <4602.995275616@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 16, 2001 at 11:26:56AM +0200, Sheldon Hearn wrote:
> On Fri, 13 Jul 2001 15:39:46 EST, "Jacques A. Vidrine" wrote:
> 
> > Our sshd  very annoyingly uses the  hostname to form the  principal it
> > uses for  Kerberos authentication.   This is  especially a  problem on
> > machines with multiple IP addresses.
> 
> Interesting.  You know about k5init --no-address, though, yes?

Yes, but  that  is something entirely  different.  `--no-addresses' is
used to obtain a TGT that has, well, no addresses.

`ServerPrincipalFromSocket' is used by  the server to  determine which
principal name to use.  Maybe an example will help.

Pretend we have a  machine with two IP  addresses which reverse map to
A.COMPANY.COM  and B.COMPANY.COM  respectively.   Pretend further that
the     machine's  hostname    (as    returned by  gethostname())   is
A.COMPANY.COM.

Then in the following table, the `ssh to' column is the hostname given
to ssh (e.g. the user typed `ssh a.company.com' in the first row); the
`AP-REQ' column  lists the server principal  name that  will be in the
client's  AP-REQ as a  result of the hostname given  to ssh; the `[1]'
column  is  the setting   of  `ServerPrincipalFromSocket';  the  `sshd
expects' is the  server principal name  used by sshd; and the `result'
column specifies whether authentication will work or not.

ssh to          AP-REQ               [1]  sshd expects          result
a.company.com   host/a.company.com   no   host/a.company.com    OK
b.company.com   host/b.company.com   no   host/a.company.com    fail
a.company.com   host/a.company.com   yes  host/a.company.com    OK
b.company.com   host/b.company.com   yes  host/b.company.com    OK

As I mentioned earlier, `ServerPrincipalFromSocket yes' causes sshd to
select the server principal in  much the same way  as telnetd and ftpd
do.

I hope this helps,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010716071825.E10944>