Re: patch to gssapi server authentication to accept any server

[Derek R. Price]

Assar Westerlund wrote:

> "Derek R. Price" <address@hidden> writes:
> > > Not at all.  Before, you had to have a key for address@hidden(), but
> > > now any key stored in /etc/krb5.keytab can be used for
> > > authentication.  What worked before still works, and it is simpler for
> > > people with multihomed servers and such.
> >
> > Might this be perceived as a loss of functionality to some people, or
> > perhaps less secure?
>
> I don't see how it could be seen as a loss of functionality.  It might
> however, for some people be seen as a change in functionality.  I've
> cooked up a new patch that should even make those picky people happy.
> Instead of only accepting authentication for address@hidden() which
> was the old way it now accepts authentication for any address@hidden  This
> should make things work for multi-homed servers and not change the
> functionality in any perceived way.  Any comments on this patch?

Please excuse my light grounding in Kerberos, but could you enlighten me a
little further as to the reasons behind this and the possible repercussions?
What, exactly is a multi-homed server?  Also, what is preventing me from
setting up Kerberos on my own outside server (say, kdc.priuvate.org), using
kinit to grant myself a token for address@hidden on my current machine
(say, work.big.com), then using that (previously invalid) token to grant
myself access to the local cvs server (cvs.big.com)?

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden     OpenAvenue ( http://OpenAvenue.com )
--
We have plenty of youth, how about a fountain of smart?