14 Nov
2007
14 Nov
'07
12:16 a.m.
The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed for multi-homed (or multi-domained) sites.
SSH recently added this enhancement to address this common need:
GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
against. If “yes” then the client must authenticate against the host service on the current hostname.
If “no” then the client may authenticate against any service key stored in the machine’s default
store. This facility is provided to assist with operation on multi homed machines. The default is
“yes”. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it
to “no” may only work with recent Kerberos GSSAPI libraries.I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the interface that the request came in on.
Can either approach be looked at for dovecot ?
Thanks,
Richard A Nelson (Rick) cowboy@((linux.)?vnet|us).ibm.com Phone: 1-408-463-5584 Fax: 1-408-463-3873 COBOL Development IBM Silicon Valley Laboratory http://www.ibm.com/software/awdtools/cobol/