ssh to IP literal
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Tue Dec 21 00:28:41 EST 2010
Russ Allbery wrote:
[dd]
> > And another question. If a Kerberos-enabled server has several
> > principals in its keytab, how exactly does it decide which one to
> > use?
> It uses whatever one the client uses, in general. There are some services
> that limit what principals they'll accept to only that one principal that
> matches what the service thinks is the local hostname, but given how many
> problems this causes, an increasing number of services will accept any
> principal found in the system keytab.
How does a service figure out the local hostname? I have a feeling
that some daemons (e.g. sshd) don't look at `hostname` but use a PTR
record for the address of one of the interfaces. If there is no
reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host.
For the present, I am not sure if the PTR record could be replaced by
an /etc/hosts entry on the server itself. I've had many irritating
cases of being unable to use GSSAPIAuthentication in sshd because of
incongruous DNS.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list