[28832] in Kerberos
Re: Kerberos 5 and DNS aliases
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Sun Dec 2 05:15:17 2007
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Sun, 2 Dec 2007 09:51:23 +0000 (UTC)
Message-ID: <fitv6r$21i8$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: Simon Wilkinson <simon@sxw.org.uk>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simon Wilkinson wrote:
> >
> > I have created a principal for each of the several names, and placed
> > these principals' keys into the destination server's keytab. However
> > when I try to ssh into this server, GSSAPI auth works only for one of
> > these names, actually the name which is equal to the server's
> > `hostname`.
> > I can even choose which name will work, by changing the server's
> > `hostname`. But only one name at a time will work.
> The GSSAPI library is canonicalising the name passed to it, by doing
> a forwards, then a reverse lookup in the DNS to obtain the fully
> qualified hostname of the machine which you are connecting to.
If so, why does the available name depend on the `hostname` setting
without any change in the DNS?
> Recent
> MIT releases provide a means of disabling this canonicalisation, but
> I'm not sure about Heimdal.
Does a ssh client really pass any server name to sshd during GSSAPI
negotiation?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
