Kerberos 5 and DNS aliases

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Sun Dec 2 01:32:18 EST 2007


Danny Mayer wrote:
> > 
> > If a server is known by several names in DNS, how can I make GSSAPI
> > authentication work with all those names? 
> > 

> What's the real question? 

Here is the real question. 

I have created a principal for each of the several names, and placed
these principals' keys into the destination server's keytab. However
when I try to ssh into this server, GSSAPI auth works only for one of
these names, actually the name which is equal to the server's `hostname`.
I can even choose which name will work, by changing the server's
`hostname`. But only one name at a time will work.

> This is about the PTR records?

I really do not know why the above setup does not work as I expect.

If the matter is really about PTR records, please elaborate. I have
never known that Kerberos uses PTR records in any way.

The system is FreeBSD 6.2 with stock Kerberos and ssh.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list