openssh bugs - Mar 2005 - [Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts

http://bugzilla.mindrot.org/show_bug.cgi?id=1008

           Summary: GSSAPI authentication failes with Round Robin DNS hosts
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: ahaupt at ifh.de


When connecting to hosts that are accessed via Round Robin DNS (e.g
pub.<my.domain> resolves to the ip addresses of
pub[1-5].<my.domain>) GSSAPI
authentication failes often.

That's because the server's address lookup is done twice. First when
actually
connecting to the server, the second time when determining the host's
principal
name. If the ssh client gets two different answers here, the authentication
failes.

On the sshd server the following error message appears in debug mode in this
case:

debug1:  Miscellaneous failure (see text)
Decrypt integrity check failed

debug1: Got no client credentials

On the client I can see that I got a ticket for a different host than the one
I'm actually connected to. That's the reason for the error message.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Additional Comments From dtucker at zip.com.au  2005-03-31 23:02 -------
Is that related to bug #928?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Additional Comments From ahaupt at ifh.de  2005-04-01 00:08 -------
(NOTE: this might be a repost as the mail reply ended up with a postix error
message: Diagnostic-Code: X-Postfix; unknown user: "bitbucker")

(In reply to comment #1)
> Is that related to bug #928?
I don't think so. If I understand the patch for bug #928 correctly, it
solves a problem when hosts have more than one ip address / host name. It's
furthermore situated on the server side.

My problem is situated on the client side. The ssh client should obtain the
kerberos ticket for exactly that host it has connected to. With the current
lookup behaviour this is not possible. Round robin dns offers more than one
ip address. These addresses belong to hosts that are completely independent
from each other, except that they share the same ssh keys (ssh_host_rsa_key
et al).

Example:

[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.15.194
pub.iss.ifh.de has address 141.34.1.150
[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.1.150
pub.iss.ifh.de has address 141.34.15.194
[fuchur] ~ %

Greetings
Andreas



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.