[32957] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Dec 13 00:34:23 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <ie43d8$2jsg$1@relay.tomsk.ru> (Victor Sudakov's message of "Mon,
13 Dec 2010 03:20:08 +0000 (UTC)")
Date: Sun, 12 Dec 2010 21:34:14 -0800
Message-ID: <8739q2dynd.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> writes:
> Is it a bad thing to use IP literals as Kerberos principals?
Well, it poses a problem for domain to realm mappings, as you've seen.
> However, I am curious. When I try to "ssh user@10.14.134.5", a very
> strange ticket is being requested from the KDC:
> 2010-12-13T09:14:15 TGS-REQ sudakov@SIBPTUS.TOMSK.RU from IPv4:10.14.134.125 for krbtgt/14.134.5@SIBPTUS.TOMSK.RU
> 2010-12-13T09:14:15 Server not found in database: krbtgt/14.134.5@SIBPTUS.TOMSK.RU: No such entry in the database
> 2010-12-13T09:14:15 Failed building TGS-REP to IPv4:10.14.134.125
> What exactly is "krbtgt/14.134.5" ? Why only the last 3 octets of the
> address?
Kerberos implementations tend to assume that they're dealing with
hostnames, so their algorithm of last resort to figure out what realm
should be used to contact a host is to get rid of the part before the
first period (the "hostname") and hope the rest is a Kerberos realm. This
obviously doesn't work with IP addresses, so you get the above failed
attempt at a cross-realm authentication to a weird realm.
If you add an explicit domain_realm mapping for each IP address to the
[domain_realm] section of your krb5.conf file, it will probably work, but
it's generally a much better idea to use real host names (possibly in some
private domain ending in .local or some similar marker).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
