multihomed IP address

[Kenneth MacDonald]

On Mon, 2015-06-22 at 10:53 +0000, Gsandtner Michael wrote:
> We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
> # nslookup vmlxsuche1test
> Name:   vmlxsuche1test.host.magwien.gv.at
> Address: 10.153.92.100
> 
> # nslookup 10.153.92.100
> 100.92.153.10.in-addr.arpa      name = vmlxsuche1test.host.magwien.gv.at.
> 100.92.153.10.in-addr.arpa      name = zktest.host.magwien.gv.at.
> 
> ssh sometimes work, sometimes does not (falls back to authentication method: password).
> In both cases the credential cache on the client looks equal (got a TGS for both names):
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: lanadvgsa at MAGWIEN.GV.AT
> 
> Valid starting     Expires            Service principal
> 06/22/15 11:56:42  06/22/15 21:56:42  krbtgt/MAGWIEN.GV.AT at MAGWIEN.GV.AT
>         renew until 06/29/15 11:56:42
> 06/22/15 11:56:47  06/22/15 21:56:42  host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT
>         renew until 06/29/15 11:56:42
> 06/22/15 11:56:47  06/22/15 21:56:42  host/zktest.host.magwien.gv.at at MAGWIEN.GV.AT
>         renew until 06/29/15 11:56:42
> 
> If we enter the host vmlxsuche1test (but not the second name zktest) in the clients /etc/hosts (thus DNS reverse lookup not done) it works always, then we get only one TGS:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: lanadvgsa at MAGWIEN.GV.AT
> 
> Valid starting     Expires            Service principal
> 06/22/15 10:58:15  06/22/15 20:58:15  krbtgt/MAGWIEN.GV.AT at MAGWIEN.GV.AT
>         renew until 06/29/15 10:58:15
> 06/22/15 10:58:28  06/22/15 20:58:15  host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT
>         renew until 06/29/15 10:58:15
> 
> Here some more information:
> 
> # klist -ke # the keytab on the host
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    5 host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT (arcfour-hmac)
>    5 host/zktest.host.magwien.gv.at at MAGWIEN.GV.AT (arcfour-hmac)
> 
> Here the entry in Active Directory (thus only one entry with both SPNs)
> 
> dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at
> servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at
> servicePrincipalName: host/ZKTEST
> servicePrincipalName: host/zktest.host.magwien.gv.at
> servicePrincipalName: host/VMLXSUCHE1TEST
> msDS-KeyVersionNumber: 5
> 
> KDC: Active Directory 2008
> sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6
> 
> Any hint welcome.

You could try setting GSSAPIStrictAcceptorCheck to "no"
in /etc/ssh/sshd_config on the server.  The sshd_config(5) man page
claims this is there to assist with operation on multi homed machines.

I hope that helps.

Cheers,

Kenny.



-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.