[39508] in Kerberos
Re: Strange behavior with mixed case host name/principal
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Apr 18 15:14:05 2025
Message-Id: <202504181849.53IInIag016366@hedwig.cmf.nrl.navy.mil>
To: Jafar Aliev <tubecleaner@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CALwi_rrjcwfdY8C-cy0DYjZdqGm8i4QWHeq3_2wes7tb3Tn0jw@mail.gmail.com>
MIME-Version: 1.0
Date: Fri, 18 Apr 2025 14:49:18 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Ken, thank you for the fast response.
>
>Your answer almost fulfills my request. I'll incorporate extra checks
>in our playbooks to strict hostname cases.
>
>One small splinter will remain: why kerberos lib indicates error with
>exact host principal name that it has in keytab.
Is it possible the kvnos don't match? I'll be honest; I sometimes resort
to running the debugger in these situations. The use of the KRB5_TRACE
variable is also sometimes useful; you can use it to enable Kerberos
debug tracing. You'd want to arrange things so the sshd has it set in
it's environment, presumably by a systemd unit file override. You want
to give it a filename to write the trace output to, e.g:
KRB5_TRACE=/tmp/sshd.trace.out
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
