Russ Allbery wrote: [dd]
> > And another question. If a Kerberos-enabled server has several > > principals in its keytab, how exactly does it decide which one to > > use? > It uses whatever one the client uses, in general. There are some services > that limit what principals they'll accept to only that one principal that > matches what the service thinks is the local hostname, but given how many > problems this causes, an increasing number of services will accept any > principal found in the system keytab. How does a service figure out the local hostname? I have a feeling that some daemons (e.g. sshd) don't look at `hostname` but use a PTR record for the address of one of the interfaces. If there is no reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host. For the present, I am not sure if the PTR record could be replaced by an /etc/hosts entry on the server itself. I've had many irritating cases of being unable to use GSSAPIAuthentication in sshd because of incongruous DNS. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/4...@fidonet http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos