http://bugzilla.mindrot.org/show_bug.cgi?id=1008
Summary: GSSAPI authentication failes with Round Robin DNS hosts
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: ahaupt@ifh.de
When connecting to hosts that are accessed via Round Robin DNS (e.g
pub.<my.domain> resolves to the ip addresses of pub[1-5].<my.domain>) GSSAPI
authentication failes often.
That's because the server's address lookup is done twice. First when actually
connecting to the server, the second time when determining the host's principal
name. If the ssh client gets two different answers here, the authentication failes.
On the sshd server the following error message appears in debug mode in this case:
debug1: Miscellaneous failure (see text)
Decrypt integrity check failed
debug1: Got no client credentials
On the client I can see that I got a ticket for a different host than the one
I'm actually connected to. That's the reason for the error message.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: GSSAPI authentication failes with Round Robin DNS hosts
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: ahaupt@ifh.de
When connecting to hosts that are accessed via Round Robin DNS (e.g
pub.<my.domain> resolves to the ip addresses of pub[1-5].<my.domain>) GSSAPI
authentication failes often.
That's because the server's address lookup is done twice. First when actually
connecting to the server, the second time when determining the host's principal
name. If the ssh client gets two different answers here, the authentication failes.
On the sshd server the following error message appears in debug mode in this case:
debug1: Miscellaneous failure (see text)
Decrypt integrity check failed
debug1: Got no client credentials
On the client I can see that I got a ticket for a different host than the one
I'm actually connected to. That's the reason for the error message.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.