Strange behavior with mixed case host name/principal
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Apr 18 13:30:49 EDT 2025
>Workarounds with sshd_conf
>GSSAPIStrictAcceptorCheck no
>or krb5.conf
>ignore_acceptor_hostname = true
>work well, but I want to keep a strict hostname check.
Why, exactly? There are a few multi-homed situations where this
can cause security issues but I don't think they apply here.
There aren't wonderful solutions for this situation other than turning
off strict acceptor checking. The DNS is case-PRESERVING, but
case-insensitive in lookup, so "SERVER" and "server" are treated as
being identical when it comes to hostname lookup. RFC 4120 recommends
folding names to lowercase; that happens sometimes based on a particular
Kerberos implementation (in MIT Kerberos that happens when the hostname
is canonicalized in the function krb5_sname_to_principal() which is
called by most higher-level APIs such as the GSSAPI).
--Ken
More information about the Kerberos
mailing list