Re: OpenSSH with gssapi-with-mic hostname questions




On 17 Sep 2007, at 03:57, Joel Johnson wrote:

When I try and connect to
that server the GSSAPI functionality in the SSH client tries to obtain a
Kerberos host key for the actual reverse hostname (as noted in the KDC logs)
which is not what I requested and of course fails.

This name canonicalisation step is being performed by the GSSAPI library you are linking against. This behaviour was mandated by RFC1964, but has since been deprecated by the more recent Kerberos revisions. Some libraries may offer the ability to disable canonicalisation, but that will be controlled as part of your Kerberos configuration, rather than in the OpenSSH code.

Simon.