[32713] in Kerberos
"Hostname cannot be canonicalized": is it possible to use
daemon@ATHENA.MIT.EDU (Jonathan Simms)
Sun Sep 26 00:07:09 2010
MIME-Version: 1.0
Date: Sun, 26 Sep 2010 00:07:01 -0400
Message-ID: <AANLkTikBkiPLwv3A1Z5OFue75KfEf-T4ifKRz4rDAMgu@mail.gmail.com>
From: Jonathan Simms <slyphon@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm trying to set up a kerberos infrastructure at work, and currently
(unfortunately) because of policy, we need to have SSH "jump boxes" to
gain access to systems "on the inside". This requires fairly involved
ssh configs, with entries like the following:
Host inside-host
ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
With ssh public-key this works fine, but when I change my config to
use gssapi-with-mic, login fails with the message: "Hostname cannot be
canonicalized". Login to the jump-box using GSSAPI succeeds, and I'm
able to forward my credentials, however it seems that the inside box
is unhappy.
I've configured the .ssh/config files of both my starting box and the
jump box with the options:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDns yes
I also tried setting (in krb5.conf):
[libdefaults]
rdns = false
Which seemed to have no effect.
Does anyone know if what I'm trying to do is possible?
-Jonathan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
