[32975] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Tue Dec 21 08:08:50 2010
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Tue, 21 Dec 2010 05:28:41 +0000 (UTC)
Message-ID: <iepdu9$kic$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery wrote:
[dd]
> > And another question. If a Kerberos-enabled server has several
> > principals in its keytab, how exactly does it decide which one to
> > use?
> It uses whatever one the client uses, in general. There are some services
> that limit what principals they'll accept to only that one principal that
> matches what the service thinks is the local hostname, but given how many
> problems this causes, an increasing number of services will accept any
> principal found in the system keytab.
How does a service figure out the local hostname? I have a feeling
that some daemons (e.g. sshd) don't look at `hostname` but use a PTR
record for the address of one of the interfaces. If there is no
reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host.
For the present, I am not sure if the PTR record could be replaced by
an /etc/hosts entry on the server itself. I've had many irritating
cases of being unable to use GSSAPIAuthentication in sshd because of
incongruous DNS.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
