Kerberos 5 and DNS aliases

Simon Wilkinson simon at sxw.org.uk
Sun Dec 2 06:17:00 EST 2007


>If so, why does the available name depend on the `hostname` setting without any change in the DNS?

Because the server picks the acceptor principal to use for incoming connections by resolving the machine's hostname. You can disable this behaviour, and permit any principal[1] whose key is in the default keytab by using a recent version, and setting GSSAPIStrictAcceptorCheck to 'no' 


>Does a ssh client really pass any server name to sshd during GSSAPI negotiation?

Not directly, but the client must pick a service principal for the server. This is selected using the hostname the client is connecting to, as I described.

Simon.

[1] Any principal means anything that has keys in the keytab being used by sshd.. Arguably the code should restrict this to only principals for the 'host' service - but I can't see a way of doing this without breaking the GSSAPI abstraction layer. For now, you just need to be careful what keys you put in the default keytab.






More information about the Kerberos mailing list