Disable name canonicalization for OpenSSH GSSAPI

Joel Johnson mrjoel at lixil.net
Mon Sep 17 22:27:07 EDT 2007


I'm using OpenSSH (4.3p2) on a Linux client to authenticate via GSSAPI with
the gssapi-with-mic SSH mechanism to multiple hosts with an existing
Kerberos infrastructure. The issue I'm having is with a new server which for
various reasons is located on a DSL link with a dynamic IP address. In turn,
I don't have control over the DNS PTR records, so while I have forward
resolution setup properly, I'm unable to setup the correct reverse lookup.
When I attempt to connect to this host with SSH, a ticket request is made
against the KDC for a host ticket using the name obtained by a reverse DNS
lookup name canonicalization which is not defined.

I've found references to the "[libdefaults] rdns = no" entry in krb5.conf,
but I'd rather not set the global setting. Is there any way to disable
reverse DNS on a per host/IP/regex basis?

Thanks for any help,
Joel Johnson



More information about the Kerberos mailing list