Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts
bugzilla-daemon at mindrot
Mar 31, 2005, 4:53 AM
Post #1 of 3 (166 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008

Summary: GSSAPI authentication failes with Round Robin DNS hosts
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: ahaupt@ifh.de


When connecting to hosts that are accessed via Round Robin DNS (e.g
pub.<my.domain> resolves to the ip addresses of pub[1-5].<my.domain>) GSSAPI
authentication failes often.

That's because the server's address lookup is done twice. First when actually
connecting to the server, the second time when determining the host's principal
name. If the ssh client gets two different answers here, the authentication failes.

On the sshd server the following error message appears in debug mode in this case:

debug1: Miscellaneous failure (see text)
Decrypt integrity check failed

debug1: Got no client credentials

On the client I can see that I got a ticket for a different host than the one
I'm actually connected to. That's the reason for the error message.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts [ In reply to ]
bugzilla-daemon at mindrot
Mar 31, 2005, 5:02 AM
Post #2 of 3 (164 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Additional Comments From dtucker@zip.com.au 2005-03-31 23:02 -------
Is that related to bug #928?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts [ In reply to ]
bugzilla-daemon at mindrot
Mar 31, 2005, 6:08 AM
Post #3 of 3 (167 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Additional Comments From ahaupt@ifh.de 2005-04-01 00:08 -------
(NOTE: this might be a repost as the mail reply ended up with a postix error
message: Diagnostic-Code: X-Postfix; unknown user: "bitbucker")

(In reply to comment #1)
> Is that related to bug #928?

I don't think so. If I understand the patch for bug #928 correctly, it
solves a problem when hosts have more than one ip address / host name. It's
furthermore situated on the server side.

My problem is situated on the client side. The ssh client should obtain the
kerberos ticket for exactly that host it has connected to. With the current
lookup behaviour this is not possible. Round robin dns offers more than one
ip address. These addresses belong to hosts that are completely independent
from each other, except that they share the same ssh keys (ssh_host_rsa_key
et al).

Example:

[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.15.194
pub.iss.ifh.de has address 141.34.1.150
[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.1.150
pub.iss.ifh.de has address 141.34.15.194
[fuchur] ~ %

Greetings
Andreas



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal