[27234] in Kerberos

home help back first fref pref prev next nref lref last post

SSH with Multiple Interfaces

daemon@ATHENA.MIT.EDU (Edward Murrell)
Thu Jan 18 16:40:49 2007

Message-ID: <45AFE64E.3020209@dlconsulting.com>
Date: Fri, 19 Jan 2007 10:27:42 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
To: kerberos@mit.edu
X-SA-Exim-Mail-From: edward@dlconsulting.com
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi there,

I've currently fighting issues with a couple of multi-homed hosts on my
network here.
I've read the FAQ on this subject, and I'm still not sure what to do.

http://www.faqs.org/faqs/kerberos-faq/general/section-47.html

The problem stems from the fact that our the host in question resides on
both an internal (10.0.0.0/8) and external network (general internet),
and has two host names associated with it;

34.88.99.100      foogazzi.example.com
10.0.0.1      foogazzi.office.example.com

The office.example.com domain is obviously not generally accessible to
the outside world. The principle application here is SSH, which will
account for about 99% of the Kerberos enabled traffic. SSH appears to
have some very large issues with multiple interfaces and SSH.

If I set the DNS and Reverse DNS to correctly return the above values
and add both host/principles to the key  as you would expect, and tell
the server that it's hostname is foogazzi.example.com, I get some
interesting results.

Logging in from the outside works fine.

Logging in from the internal LAN does the following;

    edward@coughdrop:~$ ssh foogazzi.office.example.com
    Disconnecting: Protocol error: didn't expect packet type 34

Essentially, the server complains that the client has handed it the
ticket for the wrong host, and has bailed out.

The other option I've tried is to tell the RDNS for the internal IP to
return the external name. Eg;
    10.0.0.1 => foogazzi.example.com

However, this gives me the following output;

    edward@black ~ $ ssh foogazzi.office.example.com
    Address 10.0.0.1 maps to foogazzi.example.com but this does not map
back to the address - POSSIBLE BREAKIN ATTEMPT!
    Password:

D'oh.

Any suggestions?

Regards
Edward Murrell



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post