On 06/22/2015 06:53 AM, Gsandtner Michael wrote: > We want to connect with ssh via kerberos. The host's name resolves to one IP > address, but the IP address resolves to two names (this is a required DNS > configuration): > # nslookup vmlxsuche1test > Name: vmlxsuche1test.host.magwien.gv.at > Address: 10.153.92.100 > > # nslookup 10.153.92.100 > 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at. > 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at. > > ssh sometimes work, sometimes does not (falls back to authentication method: > password). > In both cases the credential cache on the client looks equal (got a TGS for > both names):
ssh GSSAPI krb5 userauth does not work well when there are multiple possible results for hostname canonicalization. For unfortunate historical reasons, MIT krb5 defaults to reverse-resolving the IP address when canonicalizing hostnames. For this situation, I believe adding "rdns = false" to the [libdefaults] section in krb5.conf should resolve the issue. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
