Kerberos 5 and DNS aliases - Kerberos

This is a discussion on Kerberos 5 and DNS aliases - Kerberos ; Colleagues, If a server is known by several names in DNS, how can I make GSSAPI authentication work with all those names? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Kerberos 5 and DNS aliases

  1. Kerberos 5 and DNS aliases

    Colleagues,

    If a server is known by several names in DNS, how can I make GSSAPI
    authentication work with all those names?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: Kerberos 5 and DNS aliases

    Victor Sudakov wrote:
    > Colleagues,
    >
    > If a server is known by several names in DNS, how can I make GSSAPI
    > authentication work with all those names?
    >


    What's the real question? This is about the PTR records?

    Danny

  3. Re: Kerberos 5 and DNS aliases

    Danny Mayer wrote:
    > >
    > > If a server is known by several names in DNS, how can I make GSSAPI
    > > authentication work with all those names?
    > >


    > What's the real question?


    Here is the real question.

    I have created a principal for each of the several names, and placed
    these principals' keys into the destination server's keytab. However
    when I try to ssh into this server, GSSAPI auth works only for one of
    these names, actually the name which is equal to the server's `hostname`.
    I can even choose which name will work, by changing the server's
    `hostname`. But only one name at a time will work.

    > This is about the PTR records?


    I really do not know why the above setup does not work as I expect.

    If the matter is really about PTR records, please elaborate. I have
    never known that Kerberos uses PTR records in any way.

    The system is FreeBSD 6.2 with stock Kerberos and ssh.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  4. Re: Kerberos 5 and DNS aliases

    In article ,
    Victor Sudakov wrote:

    >The system is FreeBSD 6.2 with stock Kerberos and ssh.


    I don't know the answer here, but anyone replying should note that
    this means Victor is using Heimdal, not MIT Kerberos.

    -GAWollman
    --
    Garrett A. Wollman | The real tragedy of human existence is not that we are
    wollman@csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
    Opinions not those | grants to rare events of meanness such power to shape
    of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness

  5. Re: Kerberos 5 and DNS aliases


    On 2 Dec 2007, at 06:32, Victor Sudakov wrote:

    >
    > I have created a principal for each of the several names, and placed
    > these principals' keys into the destination server's keytab. However
    > when I try to ssh into this server, GSSAPI auth works only for one of
    > these names, actually the name which is equal to the server's
    > `hostname`.
    > I can even choose which name will work, by changing the server's
    > `hostname`. But only one name at a time will work.


    The GSSAPI library is canonicalising the name passed to it, by doing
    a forwards, then a reverse lookup in the DNS to obtain the fully
    qualified hostname of the machine which you are connecting to. Recent
    MIT releases provide a means of disabling this canonicalisation, but
    I'm not sure about Heimdal.

    Simon.


  6. Re: Kerberos 5 and DNS aliases

    Simon Wilkinson wrote:
    > >
    > > I have created a principal for each of the several names, and placed
    > > these principals' keys into the destination server's keytab. However
    > > when I try to ssh into this server, GSSAPI auth works only for one of
    > > these names, actually the name which is equal to the server's
    > > `hostname`.
    > > I can even choose which name will work, by changing the server's
    > > `hostname`. But only one name at a time will work.


    > The GSSAPI library is canonicalising the name passed to it, by doing
    > a forwards, then a reverse lookup in the DNS to obtain the fully
    > qualified hostname of the machine which you are connecting to.


    If so, why does the available name depend on the `hostname` setting
    without any change in the DNS?

    > Recent
    > MIT releases provide a means of disabling this canonicalisation, but
    > I'm not sure about Heimdal.


    Does a ssh client really pass any server name to sshd during GSSAPI
    negotiation?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

+ Reply to Thread