"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand

Jonathan Simms slyphon at gmail.com
Sun Sep 26 00:07:01 EDT 2010


I'm trying to set up a kerberos infrastructure at work, and currently
(unfortunately) because of policy, we need to have SSH "jump boxes" to
gain access to systems "on the inside". This requires fairly involved
ssh configs, with entries like the following:

Host inside-host
   ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"

With ssh public-key this works fine, but when I change my config to
use gssapi-with-mic, login fails with the message: "Hostname cannot be
canonicalized". Login to the jump-box using GSSAPI succeeds, and I'm
able to forward my credentials, however it seems that the inside box
is unhappy.

I've configured the .ssh/config files of both my starting box and the
jump box with the options:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDns yes

I also tried setting (in krb5.conf):

[libdefaults]
rdns = false

Which seemed to have no effect.


Does anyone know if what I'm trying to do is possible?

-Jonathan



More information about the Kerberos mailing list