[32976] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Dec 21 11:29:43 2010
From: Greg Hudson <ghudson@mit.edu>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <iepdu9$kic$1@relay.tomsk.ru>
Date: Tue, 21 Dec 2010 11:29:35 -0500
Message-ID: <1292948975.3219.44.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2010-12-21 at 00:28 -0500, Victor Sudakov wrote:
> How does a service figure out the local hostname?
When they specify one at all, they generally call gethostname(), which
the library canonicalizes through a forward and reverse name lookup.
(The reverse part can be suppressed by setting rdns = false in
[libdefaults] in krb5.conf.)
> I have a feeling
> that some daemons (e.g. sshd) don't look at `hostname` but use a PTR
> record for the address of one of the interfaces. If there is no
> reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host.
Stock OpenSSH calls gethostbyname().
OpenSSH with Simon's patches (as packaged in Debian, for instance) can
be configured to pass no hostname, by setting "GSSStrictAcceptorCheck
no" in sshd_config. If you set this option, be aware that the client
will be able (in theory) to authenticate to sshd using use any service
principal in your keytab, not just the host principal you'd expect. In
most scenarios this is not a problem.
> For the present, I am not sure if the PTR record could be replaced by
> an /etc/hosts entry on the server itself. I've had many irritating
> cases of being unable to use GSSAPIAuthentication in sshd because of
> incongruous DNS.
None of the code in question insists on using DNS, so /etc/hosts entries
should be fine as long as NSS (or equivalent) is configured to use it.
(For a discussion of ways we might improve this situation within krb5,
see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html )
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
