Re: patch to gssapi server authentication to accept any server

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: patch to gssapi server authentication to accept any server

From:	Assar Westerlund
Subject:	Re: patch to gssapi server authentication to accept any server
Date:	01 Mar 2001 23:27:55 +0100
User-agent:	Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6

"Derek R. Price" <address@hidden> writes:
> Please excuse my light grounding in Kerberos, but could you enlighten me a
> little further as to the reasons behind this and the possible repercussions?

Sure.

> What, exactly is a multi-homed server?

In this context, simply a machine running a cvs server that has
multiple interfaces.

Assume that you have a machine called 'foo.example.com' (this is the
value returned by `hostname'), that has several interfaces.  These
interfaces (or really, the addresses of them) can have different names
in DNS, let us suppose there is one that has the forwards and
backwards mapping of 'foo.example.com' and one for 'bar.example.com'.
There is a kerberos realm EXAMPLE.COM.

When running a CVS client with gss-api authentication against this
server, it is equally valid to use a CVSROOT of
:gserver:foo.example.com:/bla and :gserver:bar.example.com:/bla.
Since kerberos tickets are service-specific, a client might get one
for cvs/address@hidden or for
cvs/address@hidden  

With the old code, the server would always be expecting a ticket to be
for cvs/gethostname(), which obviously doesn't work if the client is
using a CVSROOT of :gserver:bar.example.com:/bla.

The way that the kerberos
authentication works is that the server will have a number of keys
stored in a file (typically /etc/krb5.keytab) and will verify that the
tickets are correct against these keys.

My patch makes the server verify that the ticket it gets is for one of
the keys stored in that file and that it's named 'cvs/'.

> Also, what is preventing me from setting up Kerberos on my own
> outside server (say, kdc.priuvate.org), using kinit to grant myself
> a token for address@hidden on my current machine (say,
> work.big.com), then using that (previously invalid) token to grant
> myself access to the local cvs server (cvs.big.com)?

That the cvs server at cvs.big.com will only accept tickets that are
for keys that are stored in /etc/krb5.keytab.

I hope this makes it clearer.

/assar

[Prev in Thread]

Current Thread

[Next in Thread]

Re: patch to gssapi server authentication to accept any server, Derek R. Price, 2001/03/01
- Re: patch to gssapi server authentication to accept any server, Assar Westerlund <=
  - Re: patch to gssapi server authentication to accept any server, Derek R. Price, 2001/03/02
    - Re: patch to gssapi server authentication to accept any server, Assar Westerlund, 2001/03/02

Prev by Date: Re: Maxium command line args?
Next by Date: Re: pserver question
Previous by thread: Re: patch to gssapi server authentication to accept any server
Next by thread: Re: patch to gssapi server authentication to accept any server
Index(es):
- Date
- Thread