ssh to IP literal
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Tue Dec 21 22:57:09 EST 2010
Greg Hudson wrote:
> > How does a service figure out the local hostname?
> When they specify one at all, they generally call gethostname(), which
> the library canonicalizes through a forward and reverse name lookup.
> (The reverse part can be suppressed by setting rdns = false in
> [libdefaults] in krb5.conf.)
This setting must be specific to MIT Kerberos, I don't see it in Heimdal.
> > I have a feeling
> > that some daemons (e.g. sshd) don't look at `hostname` but use a PTR
> > record for the address of one of the interfaces. If there is no
> > reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host.
> Stock OpenSSH calls gethostbyname().
You probably mean gethostname(), not gethostbyname()?
> OpenSSH with Simon's patches (as packaged in Debian, for instance) can
> be configured to pass no hostname, by setting "GSSStrictAcceptorCheck
> no" in sshd_config. If you set this option, be aware that the client
> will be able (in theory) to authenticate to sshd using use any service
> principal in your keytab, not just the host principal you'd expect. In
> most scenarios this is not a problem.
> > For the present, I am not sure if the PTR record could be replaced by
> > an /etc/hosts entry on the server itself. I've had many irritating
> > cases of being unable to use GSSAPIAuthentication in sshd because of
> > incongruous DNS.
> None of the code in question insists on using DNS, so /etc/hosts entries
> should be fine as long as NSS (or equivalent) is configured to use it.
But earlier you said that DNS-canonicalization of the gethostname() is
used. If we have no DNS, who will canonicalize the hostname?
> (For a discussion of ways we might improve this situation within krb5,
> see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html )
It also says that "For these acceptors, krb5_sname_to_principal
constructs a principal "<service>/<localhostname>@<realm>", where
<localhostname> is the DNS-canonicalized result of gethostname() ..."
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list