Kerberos 5 and DNS aliases
Jacob Welsh
welshjf at gmail.com
Sun Dec 2 13:48:18 EST 2007
Simon Wilkinson wrote:
>> If so, why does the available name depend on the `hostname` setting without any change in the DNS?
>>
>
> Because the server picks the acceptor principal to use for incoming connections by resolving the machine's hostname. You can disable this behaviour, and permit any principal[1] whose key is in the default keytab by using a recent version, and setting GSSAPIStrictAcceptorCheck to 'no'
>
This appears to be only supported through your patch
(http://www.sxw.org.uk/computing/patches/openssh.html). Are there plans
for including this option in mainline openssh soon?
-Jacob
More information about the Kerberos
mailing list