On Fri, 30 May 2014, Jaap wrote: > Hi folks, > > When SSH with Kerberos authentication is used, how can destination hosts > with short-name machine credentials be accessed? > > For example, when the destination host has machine credentials in the > form "host/<host>.<domain>@<REALM>" accessing it with SSH is no problem. > However, when it's "host/<host>@<REALM>" it doesn't and the SSH client > gives the following error: > > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/<host>.<domain>@<REALM> not found in Kerberos database > > Is the only solution here to not use short-name machine credentials?
I don't believe that to be the only solution; modern versions of openss have a configuration knob GSSAPIServerIdentity, which I think could be set to the short hostname (that is, just the "<host>" part, with no "host/" or ".<domain>"). I haven't investigated exactly what code path this involves; it might require setting rdns=false in the client's krb5.conf as well. I believe that sshd also acquires a credential for only the hostname it sees itself as configured to run on, so the server side may need a tweak as well. -Ben Kaduk ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
