"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand
Russ Allbery
rra at stanford.edu
Sun Sep 26 00:22:16 EDT 2010
Jonathan Simms <slyphon at gmail.com> writes:
> I'm trying to set up a kerberos infrastructure at work, and currently
> (unfortunately) because of policy, we need to have SSH "jump boxes" to
> gain access to systems "on the inside". This requires fairly involved
> ssh configs, with entries like the following:
> Host inside-host
> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
Don't do that, do this:
Host inside-host
GSSAPITrustDns no
HostName inside-host.inside.domain
ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"
The problem is that ssh is attempting to authenticate to the
canonicalization of inside-host in DNS, but since that's inside your
internal network, I bet you don't have DNS available to do the
canonicalization, so you need to tell GSSAPI what the hostname is
separately.
> I've configured the .ssh/config files of both my starting box and the
> jump box with the options:
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDns yes
> I also tried setting (in krb5.conf):
> [libdefaults]
> rdns = false
> Which seemed to have no effect.
GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's
the equivalent of rdns = true.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list