[PATCH] GSSAPI accept ticket for any key in keytab

[brong]

From: Brian Candler Bugzilla-Id: 3380 Version: 2.1.x Owner: Ken Murchison

[brong]

From: Brian Candler

The following one-line patch from Russ Allbery[1] is a local patch they use in Stanford.

--- a/plugins/gssapi.c +++ b/plugins/gssapi.c @@ -693,7 +693,7 @@ gssapi_server_mech_step(void *conn_context,

        GSS_LOCK_MUTEX(params->utils);
        maj_stat = gss_acquire_cred(&min_stat,

• text->server_name,
• GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT,

The rationale: a modern, well-behaved Kerberos app should normally accept a ticket encrypted with any key in the keytab[2]. If not, it can cause problems with host aliases.

I raised the safety of this patch on the Kerberos mailing list[3] - please see the discussion there. The upshot is that this change is interoperable with other GSSAPI implementations, and in general it's a reasonable thing to do, but there may be some corner cases where for some reason people decide to keep two keys in the same keytab but don't want to allow authentication with both. If this is a worry then you could make it a configurable option.

[1] http://www.openldap.org/lists/openldap-technical/201012/msg00247.html [2] http://mailman.mit.edu/pipermail/kerberos/2010-December/016797.html [3] http://mailman.mit.edu/pipermail/kerberos/2010-December/016828.html http://mailman.mit.edu/pipermail/kerberos/2011-January/016833.html and other messages in this thread.