Strange behavior with mixed case host name/principal

Jafar Aliev tubecleaner at gmail.com
Fri Apr 18 12:41:53 EDT 2025 

Good day.
My setup:
rhel-based distro
OpenSSH_8.9p1 sshd
kerberos-libs 1.20.1
sssd 2.8.2

Server joined the Windows AD via realm. Authentication from windows
client (putty 0.71) via password works well, but GSSAPI fails with
error (sshd logs):

No credentials were supplied, or the credentials were unavailable or
inaccessible\nNo key table entry found matching
host/SERVER.domain.local@

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 SERVER$@DOMAIN.LOCAL
   4 SERVER$@DOMAIN.LOCAL
   4 host/SERVER at DOMAIN.LOCAL
   4 host/SERVER at DOMAIN.LOCAL
   4 host/SERVER.domain.local at DOMAIN.LOCAL
   4 host/SERVER.domain.local at DOMAIN.LOCAL
   4 RestrictedKrbHost/SERVER at DOMAIN.LOCAL
   4 RestrictedKrbHost/SERVER at DOMAIN.LOCAL
   4 RestrictedKrbHost/SERVER.domain.local at DOMAIN.LOCAL
   4 RestrictedKrbHost/SERVER.domain.local at DOMAIN.LOCAL

$hostname -f
SERVER.domain.local

$dig +short -x <IP>
SERVER.domain.local

krb5.conf
=======
includedir /etc/krb5.conf.d/
[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_ccache_name = KEYRING:persistent:%{uid}
    default_keytab_name = FILE:/etc/krb5.keytab
[realms]
[domain_realm]

Workarounds with sshd_conf
GSSAPIStrictAcceptorCheck no
or krb5.conf
ignore_acceptor_hostname = true
work well, but I want to keep a strict hostname check.

Well, I have found if I using all-small case hostname all works well :

$hostname -f
server.domain.local

$dig +short -x <IP>
server.domain.local

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 SERVER$@DOMAIN.LOCAL
   2 SERVER$@DOMAIN.LOCAL
   2 host/SERVER at DOMAIN.LOCAL
   2 host/SERVER at DOMAIN.LOCAL
   2 host/server.domain.local at DOMAIN.LOCAL
   2 host/server.domain.local at DOMAIN.LOCAL
   2 RestrictedKrbHost/SERVER at DOMAIN.LOCAL
   2 RestrictedKrbHost/SERVER at DOMAIN.LOCAL
   2 RestrictedKrbHost/server.domain.local at DOMAIN.LOCAL
   2 RestrictedKrbHost/server.domain.local at DOMAIN.LOCAL


Apr 18 19:37:54 server.domain.local sshd[51224]: Authorized to
jafar at domain.local, krb5 principal jafar at DOMAIN.LOCAL
(ssh_gssapi_krb5_cmdok)
Apr 18 19:37:55 server.domain.local sshd[51224]: Accepted
gssapi-with-mic for jafar at domain.local from 10.*.*.* port 57997 ssh2:
jafar at DOMAIN.LOCAL
Apr 18 19:37:55 server.domain.local sshd[51224]:
pam_unix(sshd:session): session opened for user
jafar at domain.local(uid=***) by (uid=0)


Is it predefined behavior or I don't understand something?

More information about the Kerberos mailing list