GSSAPI auth and NAT Problems

Tom Yu tlyu at MIT.EDU
Wed Aug 8 21:29:27 EDT 2012


Jeremy Hunt <jeremyh at optimation.com.au> writes:

> Hi Mauricio,
>
> Doug is right, I misread your request, my apologies.
>
> Googling kerberos, nat and ssh gives many responses all saying that the 
> only way to do this is to use tickets with no address in them. You can 
> do this by using the kinit command with either the -n, -a or -A switch. 

Modern releases of krb5 default to getting tickets with no addresses.
Addresses in tickets don't really have anything to do with using
reverse DNS to canonicalize hostnames in principal names.  Mismatched
addresses in the ticket wouldn't produce the described symptoms,
anyway.


More information about the Kerberos mailing list