host/*@REALM tickets with ssh, DNS
Dennis Davis
ccsdhd at bath.ac.uk
Fri Aug 9 13:26:43 EDT 2002
>From: Josh Huber <huber at alum.wpi.edu>
>Newsgroups: gmane.comp.encryption.kerberos.general
>Subject: host/*@REALM tickets with ssh, DNS
>Reply-To: Josh Huber <huber+dated+1029271255.ad7bce at alum.wpi.edu>
>Date: Fri, 09 Aug 2002 11:38:30 -0400
...
>I have a few general questions:
>
>1) Here is the output from klist after logging in via ssh. I have ssh
>configured to use Kerberos auth, and this appears to be working fine.
>Here is the output from klist on my mail server:
>
>klist: You have no tickets cached
>Ticket cache: FILE:/tmp/krb5cc_qKxnke
>Default principal: huber at PARADOXICAL.NET
>
>Valid starting Expires Service principal
>08/09/02 11:00:14 08/09/02 21:00:14 host/mail.paradoxical.net at PARADOXICAL.NET
>08/09/02 11:00:14 08/09/02 21:00:14 krbtgt/PARADOXICAL.NET at PARADOXICAL.NET
>
>But -- why do I have a ticket with the host/... principal? Perhaps
>someone could clue me in on this, or help me determine what's wrong
>(if anything).
Probably nothing wrong. I've often seen this with KerberosIV and
some KerberosV code contains comments that indicate that this will
happen. To quote:
* Verify the Kerberos ticket-granting ticket just retrieved for the
* user. If the Kerberos server doesn't respond, assume the user is
* trying to fake us out (since we DID just get a TGT from what is
* supposedly our KDC). If the host/<host> service is unknown (i.e.,
* the local keytab doesn't have it), return success but log the error.
... and I'm sure others will provide a better explanation.
More information about the Kerberos
mailing list