On Sun, Sep 26, 2010 at 12:22 AM, Russ Allbery <[email protected]> wrote: > Jonathan Simms <[email protected]> writes: > >> I'm trying to set up a kerberos infrastructure at work, and currently >> (unfortunately) because of policy, we need to have SSH "jump boxes" to >> gain access to systems "on the inside". This requires fairly involved >> ssh configs, with entries like the following: > >> Host inside-host >> ProxyCommand ssh -t jump-box.example.com "nc -w2 %h.inside.domain %p" > > Don't do that, do this: > > Host inside-host > GSSAPITrustDns no > HostName inside-host.inside.domain > ProxyCommand ssh -t jump-box.example.com "nc -w2 %h %p" > > The problem is that ssh is attempting to authenticate to the > canonicalization of inside-host in DNS, but since that's inside your > internal network, I bet you don't have DNS available to do the > canonicalization, so you need to tell GSSAPI what the hostname is > separately. > >> I've configured the .ssh/config files of both my starting box and the >> jump box with the options: > >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> GSSAPIKeyExchange yes >> GSSAPITrustDns yes > >> I also tried setting (in krb5.conf): > >> [libdefaults] >> rdns = false > >> Which seemed to have no effect. > > GSSAPITrustDns yes is setting the exact opposite of rdns = false. It's > the equivalent of rdns = true. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> >
Ok, I tested setting GSSAPITrustDns and putting the FQDN in HostName and it does indeed work. :) (This is rather unfortunate, just because it means you'd have to put the FQDN in for each "short name" you want to use, which is a little unwieldy in our environment) So, if instead I were on a VPN, and had access to our internal resolvers, I could set GSSAPITrustDns to true and everything would work? Thanks for the clarification :) -- Jonathan ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
