Hi Timo, Richard,
On Tue, 2007-11-13 at 14:16 -0800, Richard A Nelson wrote:
SSH recently added this enhancement to address this common need:
GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If “yes” then the client must authenticate against the host service on the current hostname. If “no” then the client may authenticate against any service key stored in the machine’s default store. This facility is provided to assist with operation on multi homed machines. The default is “yes”. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it to “no” may only work with recent Kerberos GSSAPI libraries.Somehow this doesn't sound a very good idea. I'm a bit curious as to why you would want to be strict about this - is
On Mon, 2007-11-26 at 15:54 +0200, Timo Sirainen wrote: this serving multiple realms?
I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the interface that the request came in on. I guess this would mean a PTR DNS lookup for the local IP? I've wanted to avoid DNS lookups in Dovecot so far, but proxying would also want to use them.. Perhaps we can just do this in case the option equivalent to GSSAPIStrictAcceptorCheck is enabled or perhaps some other option to enable gssapi multi-homing?
I guess blocking DNS lookups for local IPs should be pretty safe and fast. Perhaps a new %D variable modifier, so you could do auth_gssapi_hostname = %Dl. Since these shouldn't be used for remote lookups, Dovecot could also cache them (with upper limit 100 or something). Yeah, that would make sense I think.
Cheers,
Jelmer
Jelmer Vernooij jelmer@samba.org - http://samba.org/~jelmer/