[krbdev.mit.edu #9137] kg_acceptor_princ behavior
Greg Hudson via RT
rt at kerborg-prod-app-1.mit.edu
Sat Aug 24 02:41:34 EDT 2024
<URL: http://mv.ezproxy.com.ezproxyberklee.flo.org/rt/Ticket/Display.html?id=9137 >
This does not read like a bug report. Requests for clarification about parts
of the MIT krb5 code should be sent to krbdev at mit.edu, not to
krb5-bugs at mit.edu, and should ideally come with more details and less venting.
For more information about that comment, see https://k5wiki.kerberos.org/wiki/
Projects/Acceptor_Names and https://github.com/krb5/krb5/commit/
66587fcd6380eac2c53674df4f64a827d337aee5. Since then we have also implemented
support for dns_canonicalize_hostname=fallback; if that is set, the acceptor
will match the originally provided hostname or the canonicalized hostname.
If the preferred behavior is not to restrict the hostname part of the acceptor
principal except to what is in the keytab, either the acceptor code should
import a service name with no hostname part (like "HTTP" instead of
"HTTP at myhostname"), or krb5.conf should contain ignore_acceptor_hostname=true.
More information about the krb5-bugs
mailing list