ssh to IP literal

Greg Hudson ghudson at MIT.EDU
Tue Dec 21 11:29:35 EST 2010


On Tue, 2010-12-21 at 00:28 -0500, Victor Sudakov wrote:
> How does a service figure out the local hostname?

When they specify one at all, they generally call gethostname(), which
the library canonicalizes through a forward and reverse name lookup.
(The reverse part can be suppressed by setting rdns = false in
[libdefaults] in krb5.conf.)

>  I have a feeling
> that some daemons (e.g. sshd) don't look at `hostname` but use a PTR
> record for the address of one of the interfaces. If there is no
> reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host.

Stock OpenSSH calls gethostbyname().

OpenSSH with Simon's patches (as packaged in Debian, for instance) can
be configured to pass no hostname, by setting "GSSStrictAcceptorCheck
no" in sshd_config.  If you set this option, be aware that the client
will be able (in theory) to authenticate to sshd using use any service
principal in your keytab, not just the host principal you'd expect.  In
most scenarios this is not a problem.

> For the present, I am not sure if the PTR record could be replaced by
> an /etc/hosts entry on the server itself. I've had many irritating
> cases of being unable to use GSSAPIAuthentication in sshd because of
> incongruous DNS.

None of the code in question insists on using DNS, so /etc/hosts entries
should be fine as long as NSS (or equivalent) is configured to use it.

(For a discussion of ways we might improve this situation within krb5,
see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html )





More information about the Kerberos mailing list