"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand
Jonathan Simms
slyphon at gmail.com
Sun Sep 26 22:31:20 EDT 2010
On Sun, Sep 26, 2010 at 12:22 AM, Russ Allbery <rra at stanford.edu> wrote:
> Jonathan Simms <slyphon at gmail.com> writes:
>
>> I'm trying to set up a kerberos infrastructure at work, and currently
>> (unfortunately) because of policy, we need to have SSH "jump boxes" to
>> gain access to systems "on the inside". This requires fairly involved
>> ssh configs, with entries like the following:
>
>> Host inside-host
>> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
>
> Don't do that, do this:
>
> Host inside-host
> GSSAPITrustDns no
> HostName inside-host.inside.domain
> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"
>
> The problem is that ssh is attempting to authenticate to the
> canonicalization of inside-host in DNS, but since that's inside your
> internal network, I bet you don't have DNS available to do the
> canonicalization, so you need to tell GSSAPI what the hostname is
> separately.
>
>> I've configured the .ssh/config files of both my starting box and the
>> jump box with the options:
>
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>> GSSAPIKeyExchange yes
>> GSSAPITrustDns yes
>
>> I also tried setting (in krb5.conf):
>
>> [libdefaults]
>> rdns = false
>
>> Which seemed to have no effect.
>
> GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's
> the equivalent of rdns = true.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
Ok, I tested setting GSSAPITrustDns and putting the FQDN in HostName
and it does indeed work. :)
(This is rather unfortunate, just because it means you'd have to put
the FQDN in for each "short name" you want to use, which is a little
unwieldy in our environment)
So, if instead I were on a VPN, and had access to our internal
resolvers, I could set GSSAPITrustDns to true and everything would
work?
Thanks for the clarification :)
-- Jonathan
More information about the Kerberos
mailing list