Kerberized SSH + mDNS

Roland C. Dowdeswell elric at imrryr.org
Thu Feb 28 10:20:11 EST 2013


On Thu, Feb 28, 2013 at 09:45:53AM -0500, Norman Elton wrote:
>

> Admittedly, this may be a crazy idea. But I've got kerberized SSH working,
> as long as FQDNs are resolvable via /etc/hosts or DNS. I'm investigating
> the possibility of using mDNS for host resolution, using Avahi.
> 
> It seems that an SSH client does a DNS resolution, then a reverse, to
> determine the FQDN in order to find the server in Kerberos. The initial
> resolution to the IP works fine, the reverse is returning the mDNS name
> (hostname.local) instead of the FQDN, which doesn't exist in kerberos.
> 
> As I see it, there are a few workarounds:
> 
> - Trick Avahi to return the FQDN. Not sure how do-able this is.
> - Trick Kerberos to map hostname.local to the FQDN. I can map a domain to a
> particular realm, but I can't figure out how to map a domain to a principal
> name inside that realm.
> - Add the mDNS hostnames as Kerberos principals (host/hostname.local at REALM).
> Not sure if this would work or not.
> 
> Thoughts? Other bright ideas?

You might try:

	-  ``rdns = no'' in your /etc/krb5.conf in the [libdefaults]
	   section.

	-  make sure that your openssh has the GSS KEX patch
	   applied (http://www.sxw.org.uk/computing/patches/openssh.html)
	   and then set ``GSSAPITrustDNS no''.

This should cause your Kerberos libraries to not try to reverse
loopkup the provided name but rather just use it.  It will affect
other users of Kerberos, though, so it might be problematic.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list