Problems with SSH-GSSAPI ticket authentication and NAT
Greg Hudson
ghudson at MIT.EDU
Wed Jan 2 11:53:26 EST 2013
On 01/02/2013 07:16 AM, nomike wrote:
> I assume that normally
> GSSAPI does a rDNS lookup of the IP it should connect to and requests a
> TGS for the hostname it gets. And the purpose of "GSSAPIServerIdentity" is
> to overide what it get's from rDNS and use the specified hostname instead.
GSSAPIServerIdentity determines the input to host canonicalization; it
does not override the output. The flow is:
1. The caller invokes "ssh hostname".
2. ssh produces a hostname which is, in order of preference:
* the value of GSSAPIServerIdentity if specified
* the hostname as canonicalized by ssh, if GSSAPITrustDNS is set
* the literal hostname as typed
3. This name is imported into the GSS krb5 mech, which canonicalizes it
according to the usual krb5 rules (always forward, then reverse unless
rdns=false is set in [libdefaults] in krb5.conf).
ssh currently has no way to ask the GSS krb5 mech not to canonicalize
the hostname, because that's mechanism-specific behavior.
More information about the Kerberos
mailing list