SSH and short-name machine credentials

Benjamin Kaduk kaduk at MIT.EDU
Fri May 30 11:01:30 EDT 2014


On Fri, 30 May 2014, Jaap wrote:

> Hi folks,
>
> When SSH with Kerberos authentication is used, how can destination hosts
> with short-name machine credentials be accessed?
>
> For example, when the destination host has machine credentials in the
> form "host/<host>.<domain>@<REALM>" accessing it with SSH is no problem.
> However, when it's "host/<host>@<REALM>" it doesn't and the SSH client
> gives the following error:
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server host/<host>.<domain>@<REALM> not found in Kerberos database
>
> Is the only solution here to not use short-name machine credentials?

I don't believe that to be the only solution; modern versions of openss 
have a configuration knob GSSAPIServerIdentity, which I think could be set 
to the short hostname (that is, just the "<host>" part, with no "host/" or 
".<domain>").  I haven't investigated exactly what code path this 
involves; it might require setting rdns=false in the client's krb5.conf as 
well.

I believe that sshd also acquires a credential for only the hostname it 
sees itself as configured to run on, so the server side may need a tweak 
as well.

-Ben Kaduk


More information about the Kerberos mailing list