Ken, thank you for the fast response. Your answer almost fulfills my request. I'll incorporate extra checks in our playbooks to strict hostname cases.
One small splinter will remain: why kerberos lib indicates error with exact host principal name that it has in keytab. p.s. My old RHEL 7.9 setup also doesn't have this problem: it lowercase hostname before requests for tickets. On Fri, Apr 18, 2025 at 8:30 PM Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > > >Workarounds with sshd_conf > >GSSAPIStrictAcceptorCheck no > >or krb5.conf > >ignore_acceptor_hostname = true > >work well, but I want to keep a strict hostname check. > > Why, exactly? There are a few multi-homed situations where this > can cause security issues but I don't think they apply here. > > There aren't wonderful solutions for this situation other than turning > off strict acceptor checking. The DNS is case-PRESERVING, but > case-insensitive in lookup, so "SERVER" and "server" are treated as > being identical when it comes to hostname lookup. RFC 4120 recommends > folding names to lowercase; that happens sometimes based on a particular > Kerberos implementation (in MIT Kerberos that happens when the hostname > is canonicalized in the function krb5_sname_to_principal() which is > called by most higher-level APIs such as the GSSAPI). > > --Ken -- Наилучшие пожелания, Джафар Алиев http://jafar.ru ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
