OpenSSH problem on Solaris 8

Steve Langasek vorlon at dodds.net
Wed May 22 11:28:03 EDT 2002


On Wed, May 22, 2002 at 08:32:55AM -0500, Jacques A. Vidrine wrote:
> On Wed, May 22, 2002 at 01:42:54PM +0200, Marc wrote:
> > Well that's strange because I have one:

> > bash-2.03# klist -k
> > Keytab name: FILE:/etc/krb5/krb5.keytab
> > KVNO Principal
> > ---- 
> > --------------------------------------------------------------------------
> >     1 host/hostname.domain.com at REALM

> Is `hostname.domain.com' the same as the output of the hostname
> command?

> If I recall correctly, Simon's modifications indirectly use
> gethostname() to determine the server principal name to use.  This is
> different than what most Kerberos network applications do (they
> typically use getsockname()).  It matters if your machine has multiple
> interfaces, or if for any other reason your hostname is different than
> the name you give the client.

> i.e.

>    client% ssh foo

>    server% hostname
>    bar

> foo and bar must match.

> I sent Simon some patches some time ago to (a) allow one to specify
> how to get the server name in the server (sshd) and (b) allow one to
> specify a different name to use at the client (ssh) to handle such
> cases, as well as tunneling and things of that nature where the
> network name does not match the server name.  I can dig them up if you
> like.

I would love it if you could send these patches to me (or to the list),
because it would save me the trouble of writing them.  I have a two-node
high availability cluster here that I'd like to use kerberized ssh on,
and it bugs me to no end that starting services on one of the nodes (and
bringing up the shared IP address) causes ssh to smell funny on the node's
real IP.  I'm always happy to accept a patch that'll save me the time to 
implement it myself. :)

Cheers,
Steve Langasek
postmodern programmer



More information about the Kerberos mailing list