Disabling reverse dns lookups
Sam Hartman
hartmans at MIT.EDU
Fri Nov 30 12:25:23 EST 2007
>>>>> "Andrew" == Andrew Cobaugh <phalenor at gmail.com> writes:
Andrew> I've seen this discussed before, but I'm having some
Andrew> trouble. My situation is that I have sshd behind a
Andrew> NAT. The public IP has an A record from one of my domain
Andrew> names, but I have no control over the PTR record, as this
Andrew> is a cable modem connection, so the ISP controls that.
Andrew> So, the client goes to do a reverse dns lookup on the IP
Andrew> address, and gets the PTR record provided by the ISP,
Andrew> which breaks gssapi-with-mic.
Andrew> I have tried setting "rdns = false" under [libdefaults] in
Andrew> /etc/krb5.conf on the client, yet this doesn't seem to
Andrew> have had any effect. I'm at a loss as to why.
Andrew> The client is Kerberos 1.6.2 (krb5-libs-1.6.2-9.fc8) on
Andrew> Fedora 8, sshd is on Solaris 10u3 with Kerberos 1.6, and
Andrew> KDC is also Kerberos 1.6.
Andrew> Any pointers to why the rdns setting isn't working are
Andrew> greatly appreciated.
There's some "magic" in the later ssh patches regarding this.
You need to set an ssh option as well.
GssapiTrustDNS no
More information about the Kerberos
mailing list