Kerberos 5 and DNS aliases

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Sun Dec 2 07:08:15 EST 2007


Simon Wilkinson wrote:

> >If so, why does the available name depend on the `hostname` setting
> >without any change in the DNS?

> Because the server picks the acceptor principal to use for incoming
> connections by resolving the machine's hostname. You can disable
> this behaviour, and permit any principal[1] whose key is in the
> default keytab by using a recent version, and setting
> GSSAPIStrictAcceptorCheck to 'no' 

The FreeBSD sshd does not seem to have this option. However, I think I
have found an alternative solution after reading the Kerberos FAQ. 

I have created for the server a DNS name with multiple A RRs. If one of
the IP addresses becomes unreachable, the ssh client begins to try
other addresses in turn until it eventually connects. In this setup,
GSSAPI auth always works because the hostname is the same.

I wonder if browsers, MUAs and other client applications are also
expected to try each IP address until success, but this is already
another story.

[dd]

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list