OpenSSH with gssapi-with-mic hostname questions



I have OpenSSH setup and am using gssapi-with-mic to authenticate using my
existing Kerberos (MIT) infrastructure.

The problem I'm having is with a machine on a DSL with a dynamic IP such
that I don't have control over the DNS PTR record. When I try and connect to
that server the GSSAPI functionality in the SSH client tries to obtain a
Kerberos host key for the actual reverse hostname (as noted in the KDC logs)
which is not what I requested and of course fails. An example for
clarification - I try to ssh to box1.example.com and expect to obtain a
Kerberos hostkey for host/box1.example.com@xxxxxxxxxxx, but instead try to
get tickets for host/QWEST.NET@xxxxxxxxxxx which fail, so the
gssapi-with-mic mechanism fails.

As an additional note, I tried putting the relevant entry in /etc/hosts and
everything went exactly as expected. It is obvious that there is a
verification mechanism in place to do the reverse lookup and obtain a
service ticket for that host, but in this instance I need to be able to
disable that reverse lookup. Where can I do this? I'm not entirely sure what
level does the initial request, but any guidance would be appreciated.

Thanks,
Joel Johnson



Relevant Pages

  • Re: Recommnended way to get krb5.keytab files for KfW installations onWindows
    ... WinXP client having KfW (MIT Kerberos for Windows) installed? ... you have two APIs for the GSSAPI protocols. ...
    (comp.protocols.kerberos)
  • Re: advice on kerberizing products
    ... some magic to determine which GSSAPI library that they are using. ... My experience is that GSSAPI is way more portable than the Kerberos API. ... equivalent to load the GSSAPI libraries, ...
    (comp.protocols.kerberos)
  • Re: advice on kerberizing products
    ... And I see a number of GSSAPI programs ... I've written both - the Kerberos code is ... I always find the Kerberos API simpler and more versatile. ... equivalent to load the GSSAPI libraries, ...
    (comp.protocols.kerberos)
  • Re: Kerberize MS Exchange?
    ... Technically GSSAPI is only one of the SASL mechanisms offered by the server. ... Kerberos fails, I want to fix the Kerberos problem! ...
    (comp.protocols.kerberos)
  • RE: Kinit programatically??
    ... U cannot get tgt with GSS ... gssapi and also java methods that include java and gssapi examples. ... Here the methods used does not require you to specify the kerberos ... I have a client application (gss-client code given in SUN example ...
    (comp.protocols.kerberos)