[36158] in Kerberos
Re: SSH and short-name machine credentials
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri May 30 11:01:43 2014
Date: Fri, 30 May 2014 11:01:30 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jaap <jwinius@umrk.nl>
In-Reply-To: <lma2p9$sud$1@ger.gmane.org>
Message-ID: <alpine.GSO.1.10.1405301058400.25244@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 30 May 2014, Jaap wrote:
> Hi folks,
>
> When SSH with Kerberos authentication is used, how can destination hosts
> with short-name machine credentials be accessed?
>
> For example, when the destination host has machine credentials in the
> form "host/<host>.<domain>@<REALM>" accessing it with SSH is no problem.
> However, when it's "host/<host>@<REALM>" it doesn't and the SSH client
> gives the following error:
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server host/<host>.<domain>@<REALM> not found in Kerberos database
>
> Is the only solution here to not use short-name machine credentials?
I don't believe that to be the only solution; modern versions of openss
have a configuration knob GSSAPIServerIdentity, which I think could be set
to the short hostname (that is, just the "<host>" part, with no "host/" or
".<domain>"). I haven't investigated exactly what code path this
involves; it might require setting rdns=false in the client's krb5.conf as
well.
I believe that sshd also acquires a credential for only the hostname it
sees itself as configured to run on, so the server side may need a tweak
as well.
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
