acceptor

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

acceptor

Victor Sudakov-2
Colleagues,

Is there a generic way for a kerberized server to configure which
acceptor principal it will use from the keytab? Why is it so that e.g.
sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
Is it configured somewhere or hardcoded in the source? What if I
wanted sshd to use a "ssh/foo" principal?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: acceptor

Greg Hudson
On Tue, 2011-01-25 at 23:16 -0500, Victor Sudakov wrote:
> Colleagues,
>
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g.
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?

The choice of service principal is primarily made by the client.
Typically the first component is determined by the application protocol.

Servers can also designate a principal name, but they have no control
over the principal name used by the client.  Because it's not easy to
know the hostname of the service principal chosen by the client in many
scenarios, server implementations are tending in the direction of
accepting requests for any service principal in the keytab.  If a server
does designate a principal name, there's no generic configuration
mechanism; it's up to the server code.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: acceptor

Brian Candler
In reply to this post by Victor Sudakov-2
On Wed, Jan 26, 2011 at 04:16:54AM +0000, Victor Sudakov wrote:
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g.
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?

AFAIK, it's a parameter to gss_acquire_cred(). You might find this patch
from Russ Allbery a starting point:

http://bugzilla.cyrusimap.org/show_bug.cgi?id=3380

(which passes NO_NAME, which means that any key in the keytab which is
capable of decrypting the ticket is acceptable)

Looking at openssh source[*], check out ssh_gssapi_acquire_cred (gss-serv.c)
which calls ssh_gssapi_import_name (gss-genr.c).  It looks like it's
hardcoded to "host@<hostname>" which in turn is translated into
host/<hostname> by GSSAPI.

However, you can also see that if you turn off options.gss_strict_acceptor
then it also passes NO_NAME, and hence uses any suitable keytab entry.

Regards,

Brian.

[*] I'm looking at the source from "apt-get source openssh-server" in Ubuntu
10.10, which is openssh-5.5p1 with a lot of Debian-applied patches
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: acceptor

Victor Sudakov-2
In reply to this post by Victor Sudakov-2
Greg Hudson wrote:
> >
> > Is there a generic way for a kerberized server to configure which
> > acceptor principal it will use from the keytab? Why is it so that e.g.
> > sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> > Is it configured somewhere or hardcoded in the source? What if I
> > wanted sshd to use a "ssh/foo" principal?

> The choice of service principal is primarily made by the client.
> Typically the first component is determined by the application protocol.

Do you mean that the server will look up in the keytab whatever
principal the client has sent? So if I want a different principal
name, I should configure the client rather than the server?


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: acceptor

Greg Hudson
On Wed, 2011-01-26 at 23:42 -0500, Victor Sudakov wrote:
> Do you mean that the server will look up in the keytab whatever
> principal the client has sent?

That depends on how the server code invokes the relevant library
routines.  The caller can provide a principal name (or a GSSAPI name
which is mapped onto a principal name), in which case only service
tickets for that principal will be accepted.  If the server does not
provide a principal name, then any service principal in the keytab will
be accepted.

OpenSSH, for instance, will typically only accept the service principal
host/localhostname@DEFAULTREALM in the default configuration.  However,
if you set GSSStrictAcceptorCheck no (this requires Simon's patch, which
is included in most OS packagings of OpenSSH), then any service
principal in the keytab will be accepted.

> So if I want a different principal
> name, I should configure the client rather than the server?

Typically clients do not allow configuration of this principal name, but
yes, you'd have to somehow convince the client as well as possibly the
server.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos