Re: Disable name canonicalization for OpenSSH GSSAPI
- From: mrjoel@xxxxxxxxx (Joel Johnson)
- Date: Mon, 17 Sep 2007 21:19:26 -0600
On Mon, Sep 17, 2007 at 11:02:16PM -0400, Ken Raeburn wrote:
I'm using OpenSSH (4.3p2) on a Linux client to authenticate via
GSSAPI with
the gssapi-with-mic SSH mechanism to multiple hosts with an existing
Kerberos infrastructure. The issue I'm having is with a new server
which for
various reasons is located on a DSL link with a dynamic IP address.
In turn,
I don't have control over the DNS PTR records, so while I have forward
resolution setup properly, I'm unable to setup the correct reverse
lookup.
When I attempt to connect to this host with SSH, a ticket request
is made
against the KDC for a host ticket using the name obtained by a
reverse DNS
lookup name canonicalization which is not defined.
If it's the krb5 library doing that, and the reverse lookup fails to
get a name, it should use the supplied name (as possibly
canonicalized by the getaddrinfo call). Could the ssh code be doing it?
If there's a PTR record defined to point to something in the ISP's
domain, that would certainly break things in the krb5 library.
That's exactly the case, the reverse lookup doesn't fail, but returns
a hostname completely different from what was requested (instead of
host.lixil.net it provides xx.xx.xx.xx.qwest.net).
I've found references to the "[libdefaults] rdns = no" entry in
krb5.conf,
but I'd rather not set the global setting. Is there any way to disable
reverse DNS on a per host/IP/regex basis?
Unfortunately, no. But you could try any of:
* put the server in question in /etc/hosts, and make sure
nsswitch.conf uses it
I did that as a test to verify that disabling reverse would solve the
problem. The problem is that since the IP is suceptable to change it
becomes a maintainance nightmare to keep the hosts file in sync.
* create a separate krb5.conf file setting rdns, and set
$KRB5_CONFIG to the pathname (or that pathname and the system one,
separated by colons, to combine the data in both) when running ssh
(or just ssh to that server), if indeed it's the krb5 library code
messing up when rdns is enabled
I've verified that with the rdns setting it functions as expected,
while without the rdns entry it breaks. I've additionally verified
this by viewing the host ticket requested on the KDC while SSH stalls.
On the KDC tickets are requested in increasing order of generality,
i.e. first for host/ABQ.QWEST.NET@REALM and then host/QWEST.NET@REALM.
The problem is that the PTR records exists and resolves properly, but
it is not at all what is to be expected.
* figure out what name the krb5 code thinks the host goes by, give
it service keys under that name, and add a domain_realm mapping that
hostname into your realm
Also fairly ugly, but could be lightened a bit with some manual realm
mappings... I'll have to think about this one, but I'll just leave
the rdns disabled for now.
Thanks for the input and verifying what I thought.
Joel
.
- Prev by Date: Re: Cannot lock database
- Next by Date: Need help on GSSFTP
- Previous by thread: Cannot lock database
- Next by thread: Need help on GSSFTP
- Index(es):
Relevant Pages
|
