Kerberized SSH + mDNS
Norman Elton
normelton at gmail.com
Thu Feb 28 09:45:53 EST 2013
Admittedly, this may be a crazy idea. But I've got kerberized SSH working,
as long as FQDNs are resolvable via /etc/hosts or DNS. I'm investigating
the possibility of using mDNS for host resolution, using Avahi.
It seems that an SSH client does a DNS resolution, then a reverse, to
determine the FQDN in order to find the server in Kerberos. The initial
resolution to the IP works fine, the reverse is returning the mDNS name
(hostname.local) instead of the FQDN, which doesn't exist in kerberos.
As I see it, there are a few workarounds:
- Trick Avahi to return the FQDN. Not sure how do-able this is.
- Trick Kerberos to map hostname.local to the FQDN. I can map a domain to a
particular realm, but I can't figure out how to map a domain to a principal
name inside that realm.
- Add the mDNS hostnames as Kerberos principals (host/hostname.local at REALM).
Not sure if this would work or not.
Thoughts? Other bright ideas?
Thanks,
Norman
More information about the Kerberos
mailing list