[33344] in Kerberos
Multiple hostnames with same IP address (DNS A record)
daemon@ATHENA.MIT.EDU (petesea@bigfoot.com)
Tue Apr 26 15:41:49 2011
Date: Tue, 26 Apr 2011 12:41:31 -0700 (PDT)
From: petesea@bigfoot.com
To: kerberos@mit.edu
Message-ID: <alpine.OSX.2.00.1104261123440.818@nikto-air>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Is it possible to use Kerberos (specifically OpenSSH w/GSSAPI Key
Exchange) on a system with 2 hostnames, but both hostnames have the same
DNS A record and therefore the same IP address?
The problem I'm seeing is OpenSSH using gssapi-keyex authentication only
seems to work part of the time. The rest of the time I get the following
when ssh'ing from a client to this particular host:
...
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_COMPLETE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: An invalid name was supplied
No error
gss_init_context failed
I'm guessing this is because the client system is confused because
multiple hostnames are returned from a reverse DNS lookup of the server
IP.
The odd thing about this is it only fails when ssh'ing FROM a linux
(redhat/centos) host. If the connection comes from an OS X host (10.3,
10.4, 10.5, 10.6) it works 100% of the time. And, I only have one Solaris
host (2.8), but it seems to work fine from it as well. The OS X and
Solaris hosts are all using various versions of OpenSSH w/GSSAPI Key
Exchange.
The server is CentOS 4.8 using OpenSSH 5.6 w/GSSAPI Key Exchange. The
OpenSSH server was built with statically linked Kerberos 1.6.3.
The host has 2 hostnames, but the DNS A record for both hostnames is the
same, so:
$ host external.example.com
external.example.com has address 1.2.3.4
$ host internal.example.com
internal.example.com has address 1.2.3.4
$ host 1.2.3.4
4.3.2.1.in-addr.arpa domain name pointer external.example.com.
4.3.2.1.in-addr.arpa domain name pointer internal.example.com.
There are "host" principals for both hostnames in /etc/krb5.keytab and
GSSAPIStrictAcceptorCheck is set to "no" in sshd_config.
Is this a bug/deficiency in the standard Kerberos library? Or a
bug/deficiency in how OpenSSH is using it? I'm guessing this, only
because it seems to work fine when coming from an OS X host and I
understand OS X uses their own customized Kerberos and/or OpenSSH
implementation.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
