[28819] in Kerberos
Re: Disabling reverse dns lookups
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Nov 30 12:25:49 2007
From: Sam Hartman <hartmans@mit.edu>
To: "Andrew Cobaugh" <phalenor@gmail.com>
Date: Fri, 30 Nov 2007 12:25:23 -0500
In-Reply-To: <1b8d56200711282356n5fbb00d3q86dd0237196169d9@mail.gmail.com>
(Andrew Cobaugh's message of "Thu, 29 Nov 2007 02:56:58 -0500")
Message-ID: <tslsl2nwsqk.fsf@mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "Andrew" == Andrew Cobaugh <phalenor@gmail.com> writes:
Andrew> I've seen this discussed before, but I'm having some
Andrew> trouble. My situation is that I have sshd behind a
Andrew> NAT. The public IP has an A record from one of my domain
Andrew> names, but I have no control over the PTR record, as this
Andrew> is a cable modem connection, so the ISP controls that.
Andrew> So, the client goes to do a reverse dns lookup on the IP
Andrew> address, and gets the PTR record provided by the ISP,
Andrew> which breaks gssapi-with-mic.
Andrew> I have tried setting "rdns = false" under [libdefaults] in
Andrew> /etc/krb5.conf on the client, yet this doesn't seem to
Andrew> have had any effect. I'm at a loss as to why.
Andrew> The client is Kerberos 1.6.2 (krb5-libs-1.6.2-9.fc8) on
Andrew> Fedora 8, sshd is on Solaris 10u3 with Kerberos 1.6, and
Andrew> KDC is also Kerberos 1.6.
Andrew> Any pointers to why the rdns setting isn't working are
Andrew> greatly appreciated.
There's some "magic" in the later ssh patches regarding this.
You need to set an ssh option as well.
GssapiTrustDNS no
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
