Improve acceptor name flexibility

Be more flexible about the principal names we will accept for a given
GSS acceptor name.  Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.

Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result.  This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.

The project proposal for this change is at:

http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 0 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 5051b5d3f..427f64eca 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -470,6 +470,15 @@ Sets the maximum allowable amount of clockskew in seconds that the
 library  will tolerate before assuming that a Kerberos message is
 invalid.  The default value is @value{DefaultClockskew}.
 
+@itemx ignore_acceptor_hostname
+When accepting GSSAPI or krb5 security contexts for host-based service
+principals, ignore any hostname passed by the calling application and
+allow any service principal present in the keytab which matches the
+service name and realm name (if given).  This option can improve
+the administrative flexibility of server applications multi-homed hosts,
+but can compromise the security of virtual hosting environments.  The
+default value is false.
+
 @itemx k5login_authoritative
 If the value of this relation is true (the default), principals must
 be listed in a local user's k5login file to be granted login access,