Kerberos 5 and DNS aliases
Simon Wilkinson
simon at sxw.org.uk
Sun Dec 2 03:52:32 EST 2007
On 2 Dec 2007, at 06:32, Victor Sudakov wrote:
>
> I have created a principal for each of the several names, and placed
> these principals' keys into the destination server's keytab. However
> when I try to ssh into this server, GSSAPI auth works only for one of
> these names, actually the name which is equal to the server's
> `hostname`.
> I can even choose which name will work, by changing the server's
> `hostname`. But only one name at a time will work.
The GSSAPI library is canonicalising the name passed to it, by doing
a forwards, then a reverse lookup in the DNS to obtain the fully
qualified hostname of the machine which you are connecting to. Recent
MIT releases provide a means of disabling this canonicalisation, but
I'm not sure about Heimdal.
Simon.
More information about the Kerberos
mailing list