Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts
bugzilla-daemon at mindrot
Aug 18, 2006, 3:28 PM
Post #1 of 3 (666 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008


simon@sxw.org.uk changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |simon@sxw.org.uk




------- Comment #5 from simon@sxw.org.uk 2006-08-19 08:28 -------
There isn't an easy fix for this, at least with today's GSSAPI
libraries. Most of these
use the DNS to canonicalize the hostname passed into them - so there's
no way of stopping
them from resolving it a different way from OpenSSH.

Perversely, the only way to fix this is to pass the canonicalized name
into the GSSAPI library,
rather than the one supplied by the user. Generally, this is a bad
idea, but it's the only
way to fix this problem. I've got a patch which does this dependent on
a configuration variable,
if it would be likely to be considered for inclusion.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts [ In reply to ]
bugzilla-daemon at mindrot
Aug 19, 2006, 5:26 AM
Post #2 of 3 (639 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Comment #6 from simon@sxw.org.uk 2006-08-19 22:26 -------
Created an attachment (id=1177)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1177&action=view)
Add option to do GSSAPI canonicalization in the client, rather than the
library

Here's the patch.

This creates a new configuration directive 'GSSAPITrustDNS', which if
set, will cause the ssh client to canonicalize the hostname before
passing it to the GSSAPI libraries. As the client caches
canonicalization results, this means that the libraries are always
called with the hostname that the client is connected to.

Whilst GSSAPI libraries perform canonicalization internally, this is
the only way of avoiding the GSSAPI picking a different hostname than
the ssh client. In the long term, GSSAPI implementations should not be
performing canonicalization, and should be using the hostname passed by
the user to request service tickets - but this seems a long way off.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts [ In reply to ]
bugzilla-daemon at mindrot
Aug 19, 2006, 5:27 AM
Post #3 of 3 (635 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1008


simon@sxw.org.uk changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #1177|application/octet-stream |text/plain
mime type| |
Attachment #1177 is|0 |1
patch| |






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal