Problems with SSH-GSSAPI ticket authentication and NAT

[nomike]

> On 01/02/2013 07:16 AM, nomike wrote:
> GSSAPIServerIdentity determines the input to host canonicalization; it
> does not override the output.  The flow is:
>
> 1. The caller invokes "ssh hostname".
>
> 2. ssh produces a hostname which is, in order of preference:
>    * the value of GSSAPIServerIdentity if specified
>    * the hostname as canonicalized by ssh, if GSSAPITrustDNS is set
>    * the literal hostname as typed
>
> 3. This name is imported into the GSS krb5 mech, which canonicalizes it
> according to the usual krb5 rules (always forward, then reverse unless
> rdns=false is set in [libdefaults] in krb5.conf).
>
> ssh currently has no way to ask the GSS krb5 mech not to canonicalize
> the hostname, because that's mechanism-specific behavior.

That sounds reasonable.
I change my ".ssh/config" to this:
---SNIP---
Host nomike.test
	Hostname externaldomain.com
	GSSAPIServerIdentity ssh1206.internaldomain.com
---SNAP---

to be sure the config is used (if not I should get an DNS error about not
being able to lookup "nomike.test").

I also set "rdns = false" in the "[libdefaults]" section in krb5.conf.
But I still get tickets for the external host.

I strace'd the call to ssh and I could clearly seeing it doing a forward
and a reverse lookup after reading "krb5.conf".

----
However I have an IMHO very ugly workaround:

In my ssh config I write:
---SNIP---
Host nomike.test
	Hostname externaldomain.com
	GSSAPIServerIdentity ssh.internaldomain.com
---SNAP---

So ssh connects to "externaldomain.com" and provides
"ssh.internaldomain.com" to kerberos.

When I now put a dummy entry with some nonexistent private IP in
"/etc/hosts":
---SNIP---
10.20.31.2	ssh1206.fstph.at
---SNAP---

forward and reverse DNS lookups done by kerberos lead to the correct
hostname and I get the correct ticket.

However this is ugly and I'd like to do this in a cleaner fashion if
possible.

regards
nomike