SSH and short-name machine credentials
Benjamin Kaduk
kaduk at MIT.EDU
Fri May 30 11:01:30 EDT 2014
On Fri, 30 May 2014, Jaap wrote:
> Hi folks,
>
> When SSH with Kerberos authentication is used, how can destination hosts
> with short-name machine credentials be accessed?
>
> For example, when the destination host has machine credentials in the
> form "host/<host>.<domain>@<REALM>" accessing it with SSH is no problem.
> However, when it's "host/<host>@<REALM>" it doesn't and the SSH client
> gives the following error:
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server host/<host>.<domain>@<REALM> not found in Kerberos database
>
> Is the only solution here to not use short-name machine credentials?
I don't believe that to be the only solution; modern versions of openss
have a configuration knob GSSAPIServerIdentity, which I think could be set
to the short hostname (that is, just the "<host>" part, with no "host/" or
".<domain>"). I haven't investigated exactly what code path this
involves; it might require setting rdns=false in the client's krb5.conf as
well.
I believe that sshd also acquires a credential for only the hostname it
sees itself as configured to run on, so the server side may need a tweak
as well.
-Ben Kaduk
More information about the Kerberos
mailing list