Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
Mathew Rowley
mathew_rowley at cable.comcast.com
Thu Mar 12 22:03:45 EDT 2009
The problem was actually in the sshd_config, it had the ‘useDNS’ line
commented out. Switching it to yes fixed the problem.
MAT
On 3/12/09 3:12 PM, "Douglas E. Engert" <deengert at anl.gov> wrote:
> I bet you have an .ssh/config or in the ssh_config
> with a Host section with HostName 10.52.152.77
> If so ssh might be mapping the name you gave into
> in to a string with the numbers. And this is being passed
> to Kerberos.
>
>
>
>
>
> Douglas E. Engert wrote:
>> >
>> > Mathew Rowley wrote:
>>> >> When trying to ssh with a kerberos ticket (with GSSAPI enabled and
>>> working)
>>> >> to a RH4 box, I get the following error from ssh:
>>> >>
>>> >> ...
>>> >> debug1: Authentications that can continue:
>>> >> publickey,gssapi-with-mic,password,keyboard-interactive
>>> >> debug1: Next authentication method: gssapi-with-mic
>>> >> debug1: Unspecified GSS failure. Minor code may provide more information
>>> >> Server not found in Kerberos database
>>> >>
>>> >> debug1: Unspecified GSS failure. Minor code may provide more information
>>> >> Server not found in Kerberos database
>>> >> ...
>>> >>
>>> >> When looking at the krb5kdc.log I see:
>>> >>
>>> >> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>>> TGS_REQ
>>> >> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>>> >> 1236809289, red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server
>>> not
>>> >> found in Kerberos database
>>> >> krb5kdc: Interrupted system call - while selecting for network input(1)
>>> >>
>>> >> It seems like the box I am trying to ssh to is sending
>>> Œhost/10.242.142.77¹
>>> >> instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does
>>> >> anyone have any idea why this would be happening? I have exact same
>>> >> configurations on RH5 boxes that will work properly and send host/FQDN...
>> >
>> > On the client, what is the ssh command you type in?
>> > What is in the /etc/hosts file?
>> > What is in the krb5.conf file?
>> > Is nsswitch.conf mapping any hosts?
>> > What does nslookup rsa01.security.lab.comcast.net show?
>> >
>> > Is this a private network?
>> > Are your DNS servers doing something special and actually returning
>> > the name as 10.242.142.77?
>> >
>> > A Wireshark trace might show what DNS is doing here.
>> >
>> >
>> >
>>> >> Thanks.
>>> >>
>> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
--
MAT
More information about the Kerberos
mailing list