Jonathan Simms <[email protected]> writes:
> I'm trying to set up a kerberos infrastructure at work, and currently
> (unfortunately) because of policy, we need to have SSH "jump boxes" to
> gain access to systems "on the inside". This requires fairly involved
> ssh configs, with entries like the following:
> Host inside-host
> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p"
Don't do that, do this:
Host inside-host
GSSAPITrustDns no
HostName inside-host.inside.domain
ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p"
The problem is that ssh is attempting to authenticate to the
canonicalization of inside-host in DNS, but since that's inside your
internal network, I bet you don't have DNS available to do the
canonicalization, so you need to tell GSSAPI what the hostname is
separately.
> I've configured the .ssh/config files of both my starting box and the
> jump box with the options:
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDns yes
> I also tried setting (in krb5.conf):
> [libdefaults]
> rdns = false
> Which seemed to have no effect.
GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's
the equivalent of rdns = true.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
