On 05/30/2014 09:58 AM, Jaap wrote: > When SSH with Kerberos authentication is used, how can destination hosts > with short-name machine credentials be accessed?
In krb5 1.12, we support dns_canonicalize_hostname=false in the [libdefaults] section of krb5.conf. This disables all canonicalization of hostnames in service principal names for all applications, so the second part of the server principal would be whatever you type. That might be too big of a hammer, but it's an option. I don't know that GSSAPIServerIdentity would be helpful by itself. By my reading of the source code, the hostname is still imported via GSS_C_NT_HOSTBASED, so canonicalization would still take place (in the absence of dns_canonicalize_hostname=false). rdns=false wouldn't solve the problem either; it only prevents canonicalization by reverse IP address lookup, not CNAME resolution or expansion of shortname to fqdn. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
