Improve acceptor name flexibility

Be more flexible about the principal names we will accept for a given
GSS acceptor name.  Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.

Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result.  This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.

The project proposal for this change is at:

http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names

ticket: 6855

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 0 deletions

diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
index df62d4d52..b04d6efd6 100644
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -155,6 +155,15 @@ This relation sets the maximum allowable amount of clockskew in seconds
 that the library will tolerate before assuming that a Kerberos message
 is invalid.  The default value is 300 seconds, or five minutes.
 
+.IP ignore_acceptor_hostname
+When accepting GSSAPI or krb5 security contexts for host-based service
+principals, ignore any hostname passed by the calling application and
+allow any service principal present in the keytab which matches the
+service name and realm name (if given).  This option can improve the
+administrative flexibility of server applications on multi-homed
+hosts, but can compromise the security of virtual hosting
+environments.  The default value is false.
+
 .IP k5login_authoritative
 If the value of this relation is true (the default), principals must
 be listed in a local user's k5login file to be granted login access,