[32714] in Kerberos
Re: "Hostname cannot be canonicalized": is it possible to use
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Sep 26 00:22:22 2010
From: Russ Allbery <rra@stanford.edu>
To: Jonathan Simms <slyphon@gmail.com>
In-Reply-To: <AANLkTikBkiPLwv3A1Z5OFue75KfEf-T4ifKRz4rDAMgu@mail.gmail.com>
(Jonathan Simms's message of "Sun, 26 Sep 2010 00:07:01 -0400")
Date: Sat, 25 Sep 2010 21:22:16 -0700
Message-ID: <87eich877r.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jonathan Simms <slyphon@gmail.com> writes:
> I'm trying to set up a kerberos infrastructure at work, and currently
> (unfortunately) because of policy, we need to have SSH "jump boxes" to
> gain access to systems "on the inside". This requires fairly involved
> ssh configs, with entries like the following:
> Host inside-host
> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
Don't do that, do this:
Host inside-host
GSSAPITrustDns no
HostName inside-host.inside.domain
ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"
The problem is that ssh is attempting to authenticate to the
canonicalization of inside-host in DNS, but since that's inside your
internal network, I bet you don't have DNS available to do the
canonicalization, so you need to tell GSSAPI what the hostname is
separately.
> I've configured the .ssh/config files of both my starting box and the
> jump box with the options:
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDns yes
> I also tried setting (in krb5.conf):
> [libdefaults]
> rdns = false
> Which seemed to have no effect.
GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's
the equivalent of rdns = true.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
