"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand

Russ Allbery rra at stanford.edu
Sun Sep 26 00:22:16 EDT 2010


Jonathan Simms <slyphon at gmail.com> writes:

> I'm trying to set up a kerberos infrastructure at work, and currently
> (unfortunately) because of policy, we need to have SSH "jump boxes" to
> gain access to systems "on the inside". This requires fairly involved
> ssh configs, with entries like the following:

> Host inside-host
>    ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"

Don't do that, do this:

    Host inside-host
        GSSAPITrustDns no
        HostName inside-host.inside.domain
        ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"

The problem is that ssh is attempting to authenticate to the
canonicalization of inside-host in DNS, but since that's inside your
internal network, I bet you don't have DNS available to do the
canonicalization, so you need to tell GSSAPI what the hostname is
separately.

> I've configured the .ssh/config files of both my starting box and the
> jump box with the options:

> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDns yes

> I also tried setting (in krb5.conf):

> [libdefaults]
> rdns = false

> Which seemed to have no effect.

GSSAPITrustDns yes is setting the exact opposite of rdns = false.  It's
the equivalent of rdns = true.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list