[32717] in Kerberos
Re: "Hostname cannot be canonicalized": is it possible to use
daemon@ATHENA.MIT.EDU (Jonathan Simms)
Sun Sep 26 22:31:26 2010
MIME-Version: 1.0
In-Reply-To: <87eich877r.fsf@windlord.stanford.edu>
Date: Sun, 26 Sep 2010 22:31:20 -0400
Message-ID: <AANLkTi=59Jrgydxd4sV3B4+Z8RzvZhtODTXHmOedFcad@mail.gmail.com>
From: Jonathan Simms <slyphon@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sun, Sep 26, 2010 at 12:22 AM, Russ Allbery <rra@stanford.edu> wrote:> Jonathan Simms <slyphon@gmail.com> writes:>>> I'm trying to set up a kerberos infrastructure at work, and currently>> (unfortunately) because of policy, we need to have SSH "jump boxes" to>> gain access to systems "on the inside". This requires fairly involved>> ssh configs, with entries like the following:>>> Host inside-host>> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p">> Don't do that, do this:>> Host inside-host> GSSAPITrustDns no> HostName inside-host.inside.domain> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p">> The problem is that ssh is attempting to authenticate to the> canonicalization of inside-host in DNS, but since that's inside your> internal network, I bet you don't have DNS available to do the> canonicalization, so you need to tell GSSAPI what the hostname is> separately.>>> I've configured the .ssh/config files of both my starting box and the>> jump box with the options:>>> GSSAPIAuthentication yes>> GSSAPIDelegateCredentials yes>> GSSAPIKeyExchange yes>> GSSAPITrustDns yes>>> I also tried setting (in krb5.conf):>>> [libdefaults]>> rdns = false>>> Which seemed to have no effect.>> GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's> the equivalent of rdns = true.>> --> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>>
Ok, I tested setting GSSAPITrustDns and putting the FQDN in HostNameand it does indeed work. :)
(This is rather unfortunate, just because it means you'd have to putthe FQDN in for each "short name" you want to use, which is a littleunwieldy in our environment)
So, if instead I were on a VPN, and had access to our internalresolvers, I could set GSSAPITrustDns to true and everything wouldwork?
Thanks for the clarification :)
-- Jonathan
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
