ssh to IP literal

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Mon Dec 13 01:52:08 EST 2010


Russ Allbery wrote:
> > Is it a bad thing to use IP literals as Kerberos principals?

> Well, it poses a problem for domain to realm mappings, as you've seen.

> > However, I am curious. When I try to "ssh user at 10.14.134.5", a very
> > strange ticket is being requested from the KDC:

> > 2010-12-13T09:14:15 TGS-REQ sudakov at SIBPTUS.TOMSK.RU from IPv4:10.14.134.125 for krbtgt/14.134.5 at SIBPTUS.TOMSK.RU
> > 2010-12-13T09:14:15 Server not found in database: krbtgt/14.134.5 at SIBPTUS.TOMSK.RU: No such entry in the database
> > 2010-12-13T09:14:15 Failed building TGS-REP to IPv4:10.14.134.125

> > What exactly is "krbtgt/14.134.5" ? Why only the last 3 octets of the
> > address?

> Kerberos implementations tend to assume that they're dealing with
> hostnames, so their algorithm of last resort to figure out what realm
> should be used to contact a host is to get rid of the part before the
> first period (the "hostname") and hope the rest is a Kerberos realm.  This
> obviously doesn't work with IP addresses, so you get the above failed
> attempt at a cross-realm authentication to a weird realm.

I still don't quite understand why it should try to contact a weird
realm while I have 

[libdefaults]
 default_realm = SIBPTUS.TOMSK.RU

in /etc/krb5.conf. Shouldn't it request a ticket for
host/10.14.134.5 at SIBPTUS.TOMSK.RU  by default?

> If you add an explicit domain_realm mapping for each IP address to the
> [domain_realm] section of your krb5.conf file, it will probably work, but
> it's generally a much better idea to use real host names (possibly in some
> private domain ending in .local or some similar marker).

I agree in general but DNS is sometimes yet another point of failure.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list