Greg Hudson wrote: > > How does a service figure out the local hostname?
> When they specify one at all, they generally call gethostname(), which > the library canonicalizes through a forward and reverse name lookup. > (The reverse part can be suppressed by setting rdns = false in > [libdefaults] in krb5.conf.) This setting must be specific to MIT Kerberos, I don't see it in Heimdal. > > I have a feeling > > that some daemons (e.g. sshd) don't look at `hostname` but use a PTR > > record for the address of one of the interfaces. If there is no > > reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host. > Stock OpenSSH calls gethostbyname(). You probably mean gethostname(), not gethostbyname()? > OpenSSH with Simon's patches (as packaged in Debian, for instance) can > be configured to pass no hostname, by setting "GSSStrictAcceptorCheck > no" in sshd_config. If you set this option, be aware that the client > will be able (in theory) to authenticate to sshd using use any service > principal in your keytab, not just the host principal you'd expect. In > most scenarios this is not a problem. > > For the present, I am not sure if the PTR record could be replaced by > > an /etc/hosts entry on the server itself. I've had many irritating > > cases of being unable to use GSSAPIAuthentication in sshd because of > > incongruous DNS. > None of the code in question insists on using DNS, so /etc/hosts entries > should be fine as long as NSS (or equivalent) is configured to use it. But earlier you said that DNS-canonicalization of the gethostname() is used. If we have no DNS, who will canonicalize the hostname? > (For a discussion of ways we might improve this situation within krb5, > see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html ) It also says that "For these acceptors, krb5_sname_to_principal constructs a principal "<service>/<localhostname>@<realm>", where <localhostname> is the DNS-canonicalized result of gethostname() ..." -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/4...@fidonet http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos