On Tue, 2010-12-21 at 00:28 -0500, Victor Sudakov wrote: > How does a service figure out the local hostname?
When they specify one at all, they generally call gethostname(), which the library canonicalizes through a forward and reverse name lookup. (The reverse part can be suppressed by setting rdns = false in [libdefaults] in krb5.conf.) > I have a feeling > that some daemons (e.g. sshd) don't look at `hostname` but use a PTR > record for the address of one of the interfaces. If there is no > reverse DNS, then a bummer, you can't use GSSAPI to ssh to the host. Stock OpenSSH calls gethostbyname(). OpenSSH with Simon's patches (as packaged in Debian, for instance) can be configured to pass no hostname, by setting "GSSStrictAcceptorCheck no" in sshd_config. If you set this option, be aware that the client will be able (in theory) to authenticate to sshd using use any service principal in your keytab, not just the host principal you'd expect. In most scenarios this is not a problem. > For the present, I am not sure if the PTR record could be replaced by > an /etc/hosts entry on the server itself. I've had many irritating > cases of being unable to use GSSAPIAuthentication in sshd because of > incongruous DNS. None of the code in question insists on using DNS, so /etc/hosts entries should be fine as long as NSS (or equivalent) is configured to use it. (For a discussion of ways we might improve this situation within krb5, see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html ) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
