openssh bugs - Aug 2006 - [Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts

http://bugzilla.mindrot.org/show_bug.cgi?id=1008


simon at sxw.org.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon at sxw.org.uk




------- Comment #5 from simon at sxw.org.uk  2006-08-19 08:28 -------
There isn't an easy fix for this, at least with today's GSSAPI
libraries. Most of these 
use the DNS to canonicalize the hostname passed into them - so there's
no way of stopping
them from resolving it a different way from OpenSSH.

Perversely, the only way to fix this is to pass the canonicalized name
into the GSSAPI library,
rather than the one supplied by the user. Generally, this is a bad
idea, but it's the only
way to fix this problem. I've got a patch which does this dependent on
a configuration variable,
if it would be likely to be considered for inclusion.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Comment #6 from simon at sxw.org.uk  2006-08-19 22:26 -------
Created an attachment (id=1177)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1177&action=view)
Add option to do GSSAPI canonicalization in the client, rather than the
library

Here's the patch.

This creates a new configuration directive 'GSSAPITrustDNS', which if
set, will cause the ssh client to canonicalize the hostname before
passing it to the GSSAPI libraries. As the client caches
canonicalization results, this means that the libraries are always
called with the hostname that the client is connected to.

Whilst GSSAPI libraries perform canonicalization internally, this is
the only way of avoiding the GSSAPI picking a different hostname than
the ssh client. In the long term, GSSAPI implementations should not be
performing canonicalization, and should be using the hostname passed by
the user to request service tickets - but this seems a long way off.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1008


simon at sxw.org.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1177|application/octet-stream    |text/plain
          mime type|                            |
Attachment #1177 is|0                           |1
              patch|                            |






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.