>Workarounds with sshd_conf >GSSAPIStrictAcceptorCheck no >or krb5.conf >ignore_acceptor_hostname = true >work well, but I want to keep a strict hostname check.
Why, exactly? There are a few multi-homed situations where this can cause security issues but I don't think they apply here. There aren't wonderful solutions for this situation other than turning off strict acceptor checking. The DNS is case-PRESERVING, but case-insensitive in lookup, so "SERVER" and "server" are treated as being identical when it comes to hostname lookup. RFC 4120 recommends folding names to lowercase; that happens sometimes based on a particular Kerberos implementation (in MIT Kerberos that happens when the hostname is canonicalized in the function krb5_sname_to_principal() which is called by most higher-level APIs such as the GSSAPI). --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
