Disable name canonicalization for OpenSSH GSSAPI
Ken Raeburn
raeburn at MIT.EDU
Mon Sep 17 23:02:16 EDT 2007
On Sep 17, 2007, at 22:27, Joel Johnson wrote:
> I'm using OpenSSH (4.3p2) on a Linux client to authenticate via
> GSSAPI with
> the gssapi-with-mic SSH mechanism to multiple hosts with an existing
> Kerberos infrastructure. The issue I'm having is with a new server
> which for
> various reasons is located on a DSL link with a dynamic IP address.
> In turn,
> I don't have control over the DNS PTR records, so while I have forward
> resolution setup properly, I'm unable to setup the correct reverse
> lookup.
> When I attempt to connect to this host with SSH, a ticket request
> is made
> against the KDC for a host ticket using the name obtained by a
> reverse DNS
> lookup name canonicalization which is not defined.
If it's the krb5 library doing that, and the reverse lookup fails to
get a name, it should use the supplied name (as possibly
canonicalized by the getaddrinfo call). Could the ssh code be doing it?
If there's a PTR record defined to point to something in the ISP's
domain, that would certainly break things in the krb5 library.
> I've found references to the "[libdefaults] rdns = no" entry in
> krb5.conf,
> but I'd rather not set the global setting. Is there any way to disable
> reverse DNS on a per host/IP/regex basis?
Unfortunately, no. But you could try any of:
* put the server in question in /etc/hosts, and make sure
nsswitch.conf uses it
* create a separate krb5.conf file setting rdns, and set
$KRB5_CONFIG to the pathname (or that pathname and the system one,
separated by colons, to combine the data in both) when running ssh
(or just ssh to that server), if indeed it's the krb5 library code
messing up when rdns is enabled
* figure out what name the krb5 code thinks the host goes by, give
it service keys under that name, and add a domain_realm mapping that
hostname into your realm
Ken
More information about the Kerberos
mailing list