Problems with SSH-GSSAPI ticket authentication and NAT

Greg Hudson ghudson at MIT.EDU
Wed Jan 2 11:53:26 EST 2013


On 01/02/2013 07:16 AM, nomike wrote:
> I assume that normally
> GSSAPI does a rDNS lookup of the IP it should connect to and requests a
> TGS for the hostname it gets. And the purpose of "GSSAPIServerIdentity" is
> to overide what it get's from rDNS and use the specified hostname instead.

GSSAPIServerIdentity determines the input to host canonicalization; it
does not override the output.  The flow is:

1. The caller invokes "ssh hostname".

2. ssh produces a hostname which is, in order of preference:
   * the value of GSSAPIServerIdentity if specified
   * the hostname as canonicalized by ssh, if GSSAPITrustDNS is set
   * the literal hostname as typed

3. This name is imported into the GSS krb5 mech, which canonicalizes it
according to the usual krb5 rules (always forward, then reverse unless
rdns=false is set in [libdefaults] in krb5.conf).

ssh currently has no way to ask the GSS krb5 mech not to canonicalize
the hostname, because that's mechanism-specific behavior.



More information about the Kerberos mailing list