multihomed IP address
Greg Hudson
ghudson at mit.edu
Mon Jun 22 12:43:55 EDT 2015
On 06/22/2015 06:53 AM, Gsandtner Michael wrote:
> We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
> # nslookup vmlxsuche1test
> Name: vmlxsuche1test.host.magwien.gv.at
> Address: 10.153.92.100
>
> # nslookup 10.153.92.100
> 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at.
> 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
>
> ssh sometimes work, sometimes does not (falls back to authentication method: password).
> In both cases the credential cache on the client looks equal (got a TGS for both names):
ssh GSSAPI krb5 userauth does not work well when there are multiple
possible results for hostname canonicalization. For unfortunate
historical reasons, MIT krb5 defaults to reverse-resolving the IP
address when canonicalizing hostnames.
For this situation, I believe adding "rdns = false" to the [libdefaults]
section in krb5.conf should resolve the issue.
More information about the Kerberos
mailing list