[28831] in Kerberos
Re: Kerberos 5 and DNS aliases
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Sun Dec 2 03:53:35 2007
In-Reply-To: <fitjhi$pa1$1@relay.tomsk.ru>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <60091BB2-818A-4CB1-8C05-0818E07F980A@sxw.org.uk>
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 2 Dec 2007 08:52:32 +0000
To: Victor Sudakov <vas@mpeks.tomsk.su>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 2 Dec 2007, at 06:32, Victor Sudakov wrote:
>
> I have created a principal for each of the several names, and placed
> these principals' keys into the destination server's keytab. However
> when I try to ssh into this server, GSSAPI auth works only for one of
> these names, actually the name which is equal to the server's
> `hostname`.
> I can even choose which name will work, by changing the server's
> `hostname`. But only one name at a time will work.
The GSSAPI library is canonicalising the name passed to it, by doing
a forwards, then a reverse lookup in the DNS to obtain the fully
qualified hostname of the machine which you are connecting to. Recent
MIT releases provide a means of disabling this canonicalisation, but
I'm not sure about Heimdal.
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
