On Mon, September 17, 2007 8:10 am, Simon Wilkinson wrote:
>> When I try and connect to
>> that server the GSSAPI functionality in the SSH client tries to obtain a
>> Kerberos host key for the actual reverse hostname (as noted in the
>> KDC logs)
>> which is not what I requested and of course fails.

>
> This name canonicalisation step is being performed by the GSSAPI
> library you are linking against. This behaviour was mandated by RFC1964, but
> has since been deprecated by the more recent Kerberos revisions. Some
> libraries may offer the ability to disable canonicalisation, but that will
> be controlled as part of your Kerberos configuration, rather than in the
> OpenSSH code.


Thanks, that's what I was wondering, the reference was great.

For the completeness of the thread and archive posterity, the solution when
using MIT Kerberos (unsure of heimdal or shishi) was to add an "rdns = no"
entry to the [libdefaults] section of the krb5.conf file. I've posted a
message to the MIT Kerberos mailing list to see if this can be done on a
finer granularity but haven't heard yet.

Thanks again.

Joel