Disable name canonicalization for OpenSSH GSSAPI

Joel Johnson mrjoel at lixil.net
Mon Sep 17 23:19:26 EDT 2007


On Mon, Sep 17, 2007 at 11:02:16PM -0400, Ken Raeburn wrote:
> >I'm using OpenSSH (4.3p2) on a Linux client to authenticate via  
> >GSSAPI with
> >the gssapi-with-mic SSH mechanism to multiple hosts with an existing
> >Kerberos infrastructure. The issue I'm having is with a new server  
> >which for
> >various reasons is located on a DSL link with a dynamic IP address.  
> >In turn,
> >I don't have control over the DNS PTR records, so while I have forward
> >resolution setup properly, I'm unable to setup the correct reverse  
> >lookup.
> >When I attempt to connect to this host with SSH, a ticket request  
> >is made
> >against the KDC for a host ticket using the name obtained by a  
> >reverse DNS
> >lookup name canonicalization which is not defined.
> 
> If it's the krb5 library doing that, and the reverse lookup fails to  
> get a name, it should use the supplied name (as possibly  
> canonicalized by the getaddrinfo call).  Could the ssh code be doing it?
> 
> If there's a PTR record defined to point to something in the ISP's  
> domain, that would certainly break things in the krb5 library.

That's exactly the case, the reverse lookup doesn't fail, but returns
a hostname completely different from what was requested (instead of
host.lixil.net it provides xx.xx.xx.xx.qwest.net).

> 
> >I've found references to the "[libdefaults] rdns = no" entry in  
> >krb5.conf,
> >but I'd rather not set the global setting. Is there any way to disable
> >reverse DNS on a per host/IP/regex basis?
> 
> Unfortunately, no.  But you could try any of:
> 
>  * put the server in question in /etc/hosts, and make sure  
> nsswitch.conf uses it

I did that as a test to verify that disabling reverse would solve the
problem. The problem is that since the IP is suceptable to change it
becomes a maintainance nightmare to keep the hosts file in sync.

>  * create a separate krb5.conf file setting rdns, and set  
> $KRB5_CONFIG to the pathname (or that pathname and the system one,  
> separated by colons, to combine the data in both) when running ssh  
> (or just ssh to that server), if indeed it's the krb5 library code  
> messing up when rdns is enabled

I've verified that with the rdns setting it functions as expected,
while without the rdns entry it breaks. I've additionally verified
this by viewing the host ticket requested on the KDC while SSH stalls.
On the KDC tickets are requested in increasing order of generality,
i.e. first for host/ABQ.QWEST.NET at REALM and then host/QWEST.NET at REALM.
The problem is that the PTR records exists and resolves properly, but
it is not at all what is to be expected.

>  * figure out what name the krb5 code thinks the host goes by, give  
> it service keys under that name, and add a domain_realm mapping that  
> hostname into your realm

Also fairly ugly, but could be lightened a bit with some manual realm
mappings... I'll have to think about this one, but I'll just leave
the rdns disabled for now.

Thanks for the input and verifying what I thought.

Joel



More information about the Kerberos mailing list