openssh/mit kerberos and numeric host address

=?gb2312?B?zfW9ow==?= larkwang at outlook.com
Wed Apr 3 13:48:21 EDT 2013



> Date: Wed, 3 Apr 2013 12:29:59 -0400
> From: kaduk at MIT.EDU
> To: larkwang at outlook.com
> CC: kerberos at MIT.EDU
> Subject: Re: openssh/mit kerberos and numeric host address
> 
> On Wed, 3 Apr 2013, Íõ½£ wrote:
> 
> > Hi,
> >
> > I have setup a MIT kerberos environment. But I meet a problem with numeric host address support.
> >
> > 1. The kdc runs on linux server, debian testing latest, openssh 6.0p1, mit kerberos 1.10.1.
> > 2. A DNS A RR points to linux server, as "kdc = xxx"
> > 3. Windows client: Win7 64bit, putty 0.62, kfw-3-2-2
> > 4. MacOS X client: OSX 10.6.x
> > 5. Linux client: debian testing latest
> > 6. In krb5.conf or krb5.ini,  "rdns = false" and in ssh_config, "GSSAPITrustDNS = no"
> > 7. The server has a host/ip at REALM principal in kdc and /etc/krb5.keytab
> >
> > From Windows and OSX clients, we can login to linux server with "ssh root at ip" by principal, but
> > from linux, kerberos always fails and then fallback to password
> >
> > "debug1: Unspecified GSS failure.  Minor code may provide more information
> > Cannot determine realm for numeric host address"
> >
> > At first, I think it is openssh's problem. But I trace it into ssh_gssapi_init_ctx() then gss_init_sec_context()
> > from libgssapi_krb5.so.  It's beyond my affordable time to play with this beast.
> >
> > Can anyone has a solution?
> 
> It seems like you may be hitting the getaddrinfo issue mentioned in debian 
> bug #697662 (which is 
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7124&user=guest&pass=guest 
> ).
> This issue is addressed in my version of the debian packaging 
> (http://anonscm.debian.org/gitweb/?p=pkg-k5-afs/debian-krb5.git;a=summary) 
> but I don't have an ETA for when it will be uploaded to debian.
> 
> -Ben Kaduk
> 
> P.S. There is KfW 4.0.1 out now; 3.2.2 is quite old.

Thanks.

I have tried Greg Hudson's glibc patch and built glibc package, per
http://sourceware.org/bugzilla/show_bug.cgi?id=15218

but no success. I have reverted back to debian official glibc package.

I test the upstream patch your package refers to, and no success either :(

I installed KfW 4.0.1 then switch back to 3.2.2. The UI of KfW 4.0.1 is _strange_.
 		 	   		  


More information about the Kerberos mailing list