[30866] in Kerberos
Re: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
daemon@ATHENA.MIT.EDU (Mathew Rowley)
Thu Mar 12 22:05:07 2009
Date: Thu, 12 Mar 2009 20:03:45 -0600
From: Mathew Rowley <mathew_rowley@cable.comcast.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <C5DF1B21.9430%mathew_rowley@cable.comcast.com>
In-Reply-To: <49B97ADB.7090909@anl.gov>
Mime-version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
The problem was actually in the sshd_config, it had the ‘useDNS’ linecommented out. Switching it to yes fixed the problem.
MAT
On 3/12/09 3:12 PM, "Douglas E. Engert" <deengert@anl.gov> wrote:
> I bet you have an .ssh/config or in the ssh_config> with a Host section with HostName 10.52.152.77> If so ssh might be mapping the name you gave into> in to a string with the numbers. And this is being passed> to Kerberos.> > > > > > Douglas E. Engert wrote:>> >>> > Mathew Rowley wrote:>>> >> When trying to ssh with a kerberos ticket (with GSSAPI enabled and>>> working)>>> >> to a RH4 box, I get the following error from ssh:>>> >>>>> >> ...>>> >> debug1: Authentications that can continue:>>> >> publickey,gssapi-with-mic,password,keyboard-interactive>>> >> debug1: Next authentication method: gssapi-with-mic>>> >> debug1: Unspecified GSS failure. Minor code may provide more information>>> >> Server not found in Kerberos database>>> >>>>> >> debug1: Unspecified GSS failure. Minor code may provide more information>>> >> Server not found in Kerberos database>>> >> ...>>> >>>>> >> When looking at the krb5kdc.log I see:>>> >>>>> >> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):>>> TGS_REQ>>> >> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime>>> >> 1236809289, red@COMCAST.NET for host/10.252.152.77@COMCAST.NET, Server>>> not>>> >> found in Kerberos database>>> >> krb5kdc: Interrupted system call - while selecting for network input(1)>>> >>>>> >> It seems like the box I am trying to ssh to is sending>>> Œhost/10.242.142.77¹>>> >> instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does>>> >> anyone have any idea why this would be happening? I have exact same>>> >> configurations on RH5 boxes that will work properly and send host/FQDN...>> >>> > On the client, what is the ssh command you type in?>> > What is in the /etc/hosts file?>> > What is in the krb5.conf file?>> > Is nsswitch.conf mapping any hosts?>> > What does nslookup rsa01.security.lab.comcast.net show?>> >>> > Is this a private network?>> > Are your DNS servers doing something special and actually returning>> > the name as 10.242.142.77?>> >>> > A Wireshark trace might show what DNS is doing here.>> >>> >>> >>>> >> Thanks.>>> >>>> >> > --> > Douglas E. Engert <DEEngert@anl.gov>> Argonne National Laboratory> 9700 South Cass Avenue> Argonne, Illinois 60439> (630) 252-5444>
-- MAT
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
