SSH and short-name machine credentials

Greg Hudson ghudson at MIT.EDU
Fri May 30 11:12:40 EDT 2014

On 05/30/2014 09:58 AM, Jaap wrote:
> When SSH with Kerberos authentication is used, how can destination hosts 
> with short-name machine credentials be accessed?

In krb5 1.12, we support dns_canonicalize_hostname=false in the
[libdefaults] section of krb5.conf.  This disables all canonicalization
of hostnames in service principal names for all applications, so the
second part of the server principal would be whatever you type.  That
might be too big of a hammer, but it's an option.

I don't know that GSSAPIServerIdentity would be helpful by itself.  By
my reading of the source code, the hostname is still imported via
GSS_C_NT_HOSTBASED, so canonicalization would still take place (in the
absence of dns_canonicalize_hostname=false).  rdns=false wouldn't solve
the problem either; it only prevents canonicalization by reverse IP
address lookup, not CNAME resolution or expansion of shortname to fqdn.

More information about the Kerberos mailing list