I'm trying to set up a kerberos infrastructure at work, and currently (unfortunately) because of policy, we need to have SSH "jump boxes" to gain access to systems "on the inside". This requires fairly involved ssh configs, with entries like the following:
Host inside-host ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p" With ssh public-key this works fine, but when I change my config to use gssapi-with-mic, login fails with the message: "Hostname cannot be canonicalized". Login to the jump-box using GSSAPI succeeds, and I'm able to forward my credentials, however it seems that the inside box is unhappy. I've configured the .ssh/config files of both my starting box and the jump box with the options: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPITrustDns yes I also tried setting (in krb5.conf): [libdefaults] rdns = false Which seemed to have no effect. Does anyone know if what I'm trying to do is possible? -Jonathan ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
