"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand
Jonathan Simms
slyphon at gmail.com
Sun Sep 26 00:07:01 EDT 2010
I'm trying to set up a kerberos infrastructure at work, and currently
(unfortunately) because of policy, we need to have SSH "jump boxes" to
gain access to systems "on the inside". This requires fairly involved
ssh configs, with entries like the following:
Host inside-host
ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
With ssh public-key this works fine, but when I change my config to
use gssapi-with-mic, login fails with the message: "Hostname cannot be
canonicalized". Login to the jump-box using GSSAPI succeeds, and I'm
able to forward my credentials, however it seems that the inside box
is unhappy.
I've configured the .ssh/config files of both my starting box and the
jump box with the options:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDns yes
I also tried setting (in krb5.conf):
[libdefaults]
rdns = false
Which seemed to have no effect.
Does anyone know if what I'm trying to do is possible?
-Jonathan
More information about the Kerberos
mailing list