[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: patch to gssapi server authentication to accept any server
From: |
Assar Westerlund |
Subject: |
Re: patch to gssapi server authentication to accept any server |
Date: |
02 Mar 2001 18:02:54 +0100 |
User-agent: |
Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 |
"Derek R. Price" <address@hidden> writes:
> Yeah, it does. I want to get Kerberos set up here so I can do some testing
> before I check things in, but it should go in. It'll probably be a few weeks
> since I'm going to be on vacation next week.
ok. Have a nice vacation.
> A few more questions for my personal edification, though:
>
> Is the "cvs" portion of the "cvs/address@hidden" that the server verifies all
> that
> prevents the client from obtaining a ticket for, say,
> "telnet/address@hidden" and using that to accerss CVS?
Yes, if that check wasn't there, any key that was in /etc/krb5.keytab
would be possible to use. And it's actually
host/address@hidden for telnet and other services.
> Is it possible for the Kerberos server to grant a ticket to the CVS client
> (assumedly through the CVS server) for anything other than
> "cvs/<somehost>@EXAMPLE.COM"? In what cases?
Yes, the Kerberos server gives you tickets for anything you like. You
would of course have to hack the client to do that, and any ticket
that the server can verify against the locally stored keys in
/etc/krb5.keytab should authenticate the user. The reason for having
that check is that people might want to add attributes to cvs/
principals.
/assar