"Hostname cannot be canonicalized": is it possible to use gssapi-with-mic with SSH ProxyCommand

Jonathan Simms slyphon at gmail.com
Sun Sep 26 22:31:20 EDT 2010


On Sun, Sep 26, 2010 at 12:22 AM, Russ Allbery <rra at stanford.edu> wrote:
> Jonathan Simms <slyphon at gmail.com> writes:
>
>> I'm trying to set up a kerberos infrastructure at work, and currently
>> (unfortunately) because of policy, we need to have SSH "jump boxes" to
>> gain access to systems "on the inside". This requires fairly involved
>> ssh configs, with entries like the following:
>
>> Host inside-host
>>    ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
>
> Don't do that, do this:
>
>    Host inside-host
>        GSSAPITrustDns no
>        HostName inside-host.inside.domain
>        ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"
>
> The problem is that ssh is attempting to authenticate to the
> canonicalization of inside-host in DNS, but since that's inside your
> internal network, I bet you don't have DNS available to do the
> canonicalization, so you need to tell GSSAPI what the hostname is
> separately.
>
>> I've configured the .ssh/config files of both my starting box and the
>> jump box with the options:
>
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>> GSSAPIKeyExchange yes
>> GSSAPITrustDns yes
>
>> I also tried setting (in krb5.conf):
>
>> [libdefaults]
>> rdns = false
>
>> Which seemed to have no effect.
>
> GSSAPITrustDns yes is setting the exact opposite of rdns = false.  It's
> the equivalent of rdns = true.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>


Ok, I tested setting GSSAPITrustDns and putting the FQDN in HostName
and it does indeed work. :)

(This is rather unfortunate, just because it means you'd have to put
the FQDN in for each "short name" you want to use, which is a little
unwieldy in our environment)

So, if instead I were on a VPN, and had access to our internal
resolvers, I could set GSSAPITrustDns to true and everything would
work?


Thanks for the clarification :)

-- Jonathan




More information about the Kerberos mailing list