Kerberos 5 and DNS aliases
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Sun Dec 2 04:51:23 EST 2007
Simon Wilkinson wrote:
> >
> > I have created a principal for each of the several names, and placed
> > these principals' keys into the destination server's keytab. However
> > when I try to ssh into this server, GSSAPI auth works only for one of
> > these names, actually the name which is equal to the server's
> > `hostname`.
> > I can even choose which name will work, by changing the server's
> > `hostname`. But only one name at a time will work.
> The GSSAPI library is canonicalising the name passed to it, by doing
> a forwards, then a reverse lookup in the DNS to obtain the fully
> qualified hostname of the machine which you are connecting to.
If so, why does the available name depend on the `hostname` setting
without any change in the DNS?
> Recent
> MIT releases provide a means of disabling this canonicalisation, but
> I'm not sure about Heimdal.
Does a ssh client really pass any server name to sshd during GSSAPI
negotiation?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list