Re: Weird behaviour: what's going on?

From: Richard E. Silverman (res_at_qoxp.net)
Date: 07/14/05

• Next message: Matthew Poole: "Forcing ssh connections to a server to use a particular port"
• Previous message: Nico Kadel-Garcia: "Re: OpenSSH CHROOT newbie"
• In reply to: Sensei: "Re: Weird behaviour: what's going on?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 14 Jul 2005 00:26:18 -0400

>
> On 2005-07-13 07:04:02 -0500, "Richard E. Silverman" <res@qoxp.net> said:
> > First, regardless of what the server is doing, your client is trying to
> > use Kerberos for the key exchange:
>
> Yes, but that's not a problem, since there's a problem with DNS...

The use of Kerberos is the reason your client needs to do the reverse
lookup in the first place; it would not need to do it otherwise.

> > It is, and it will use it in case you have a ticket so I can delegate
> > credential and use a passwordless login, but this is not the case: I'm
> > not using kerberos on this client now.

You are mistaken. This:

> >> gssapi debug1: Next authentication method: gssapi
> >> debug2: we sent a gssapi packet, wait for reply

... shows that your client has obtained a ticket for the remote service,
and sent it. The gssapi key exchange code insists on canonicalizing the
name, whereas the userauth code does not; hence, the lack of a reverse
mapping will block the Kerberos key exchange while Kerberos user
authentication can still work (assuming the hostname you give is in fact
the one in the server's principal name).

> It doesn't matter whether you've touched it or not; it's clearly not
> working. Your reverse lookups are timing out.

> > Ok, now the question is (yes, I'm paranoid): which DNS? The client side
> > or the server side DNS?

It is the client's reverse lookup of the server name that is failing.

-- 
  Richard Silverman
  res@qoxp.net

---

• Next message: Matthew Poole: "Forcing ssh connections to a server to use a particular port"
• Previous message: Nico Kadel-Garcia: "Re: OpenSSH CHROOT newbie"
• In reply to: Sensei: "Re: Weird behaviour: what's going on?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Kerberos with Windows Integrated authentication ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ... (microsoft.public.windows.server.security) Re: Kerberised NFS ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ... (comp.protocols.kerberos) Re: Kerberos authentication fails ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ... (microsoft.public.sqlserver) Re: Kerberos authentication fails ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ... (microsoft.public.win2000.security) Re: Server not found in Kerberos Database ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ... (comp.protocols.kerberos)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2005-07