gssapi auth, and multihomed multinamed hosts

petesea@bigfoot.com petesea at bigfoot.com
Wed Jun 6 23:19:32 EDT 2007


On Wed, 6 Jun 2007, eirvine at tpg.com.au wrote:

> I have a Solaris 10 server with two ip addresses: "fixed.example.com" 
> and "float.example.com". The latter is an IP address that the server 
> sometimes assumes as part of its role in a high-availability cluster.
>
> I have compiled my own openssh+gssapi version of sshd, and have got
> ssh single-sign-on working fine (both windows secureCRT, a patched
> version of Putty, and also the unix openssh clients) . So far so good.
>
> It is now time to get gssapi auth to working with the
> "float.example.com" address.
>
> Can I expect to just add the keytab for "float.example.com" into 
> /etc/krb5.keytab and expect everything to be OK?

You may need to set GSSAPIStrictAcceptorCheck=no in sshd_config, which I 
believe is only available with the GSSAPI Key Exchange patch for OpenSSH 
4.4p1 or higher.

Then, as you already mentioned, make sure the host principals for both 
fixed.example.com and float.example.com are in /etc/krb5.keytab.



More information about the Kerberos mailing list