OpenSSH with gssapi-with-mic hostname questions
- From: "Joel Johnson" <mrjoel@xxxxxxxxx>
- Date: Sun, 16 Sep 2007 20:57:51 -0600 (MDT)
I have OpenSSH setup and am using gssapi-with-mic to authenticate using my
existing Kerberos (MIT) infrastructure.
The problem I'm having is with a machine on a DSL with a dynamic IP such
that I don't have control over the DNS PTR record. When I try and connect to
that server the GSSAPI functionality in the SSH client tries to obtain a
Kerberos host key for the actual reverse hostname (as noted in the KDC logs)
which is not what I requested and of course fails. An example for
clarification - I try to ssh to box1.example.com and expect to obtain a
Kerberos hostkey for host/box1.example.com@xxxxxxxxxxx, but instead try to
get tickets for host/QWEST.NET@xxxxxxxxxxx which fail, so the
gssapi-with-mic mechanism fails.
As an additional note, I tried putting the relevant entry in /etc/hosts and
everything went exactly as expected. It is obvious that there is a
verification mechanism in place to do the reverse lookup and obtain a
service ticket for that host, but in this instance I need to be able to
disable that reverse lookup. Where can I do this? I'm not entirely sure what
level does the initial request, but any guidance would be appreciated.
Thanks,
Joel Johnson
- Follow-Ups:
- Re: OpenSSH with gssapi-with-mic hostname questions
- From: Simon Wilkinson
- Re: OpenSSH with gssapi-with-mic hostname questions
- Prev by Date: Re: Using a ppk file generated by pageant on openssh client
- Next by Date: Re: OpenSSH with gssapi-with-mic hostname questions
- Previous by thread: FW: Connecting to host
- Next by thread: Re: OpenSSH with gssapi-with-mic hostname questions
- Index(es):
Relevant Pages
|
