Package: libgssapi-krb5-2
Version: 1.6.dfsg.4~beta1-13
Severity: important
On my system, resolv.conf looks like this:
domain foo.net
search foo.net foo.lan
nameserver 192.168.1.1
Now, my hostname is bar.foo.net (as hostname --fqdn spits out properly). I
tried to
kerberize sshd and got some weird effect: Only when I removed foo.lan from the
search
domains, it worked. This is reproducable with a little kerberos server/client
program
I found at apple:
http://developer.apple.com/SampleCode/KerberosGSS/KerberosGSS.zip
(Start with ./gssserver -s foo to make it call krb5_gss_acquire_cred.)
strace'ing revealed that libgssapi-krb5 is first resolving bar.foo.net, then
bar.foo.lan,
then reverse(bar.foo.lan) and then takes this as hostname for the realm.
To give a bit of background info why this setup is necessary:
bar.foo.net is a public domain with a public DNS, containing exactly one
record
which is updated to whereever the computer is at the moment (notebook).
bar.foo.lan is an internal domain at an internal DNS, containing a A record and
an
record. This DNS is internal because most part of it is behind a NAT and thus
un-
interesting for the rest of the world. Additionally, it needs to be updated by
other
people in-house which should not get access to the public DNS infrastructure.
Regardless of the sense or nonsense of this setup, resolving should stop at the
first
match, that is, bar.foo.net with its record.
In sshd, the problem can be worked around by using GSSAPIStrictAcceptorCheck
no. I
have not yet tested other programs but I think they might not all have such a
workaround
and might break, thus I filed this bug with severity: important.
Unfortunately I wasn’t able to find the code which does the resolving itself or
I would
have sent a patch. Please enlighten me.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29.1-midna-2 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgssapi-krb5-2 depends on:
ii libc62.9-12 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1common error description library
ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C
ii libkeyutils1 1.2-10 Linux Key Management Utilities (li
ii libkrb5-31.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S
libgssapi-krb5-2 recommends no packages.
Versions of packages libgssapi-krb5-2 suggests:
ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos
pn krb5-usernone (no description available)
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org