Discussion:
Disable name canonicalization for OpenSSH GSSAPI
Joel Johnson
2007-09-18 02:27:07 UTC
Permalink
I'm using OpenSSH (4.3p2) on a Linux client to authenticate via GSSAPI with
the gssapi-with-mic SSH mechanism to multiple hosts with an existing
Kerberos infrastructure. The issue I'm having is with a new server which for
various reasons is located on a DSL link with a dynamic IP address. In turn,
I don't have control over the DNS PTR records, so while I have forward
resolution setup properly, I'm unable to setup the correct reverse lookup.
When I attempt to connect to this host with SSH, a ticket request is made
against the KDC for a host ticket using the name obtained by a reverse DNS
lookup name canonicalization which is not defined.

I've found references to the "[libdefaults] rdns = no" entry in krb5.conf,
but I'd rather not set the global setting. Is there any way to disable
reverse DNS on a per host/IP/regex basis?

Thanks for any help,
Joel Johnson
Ken Raeburn
2007-09-18 03:02:16 UTC
Permalink
Post by Joel Johnson
I'm using OpenSSH (4.3p2) on a Linux client to authenticate via GSSAPI with
the gssapi-with-mic SSH mechanism to multiple hosts with an existing
Kerberos infrastructure. The issue I'm having is with a new server which for
various reasons is located on a DSL link with a dynamic IP address. In turn,
I don't have control over the DNS PTR records, so while I have forward
resolution setup properly, I'm unable to setup the correct reverse lookup.
When I attempt to connect to this host with SSH, a ticket request is made
against the KDC for a host ticket using the name obtained by a
reverse DNS
lookup name canonicalization which is not defined.
If it's the krb5 library doing that, and the reverse lookup fails to
get a name, it should use the supplied name (as possibly
canonicalized by the getaddrinfo call). Could the ssh code be doing it?

If there's a PTR record defined to point to something in the ISP's
domain, that would certainly break things in the krb5 library.
Post by Joel Johnson
I've found references to the "[libdefaults] rdns = no" entry in krb5.conf,
but I'd rather not set the global setting. Is there any way to disable
reverse DNS on a per host/IP/regex basis?
Unfortunately, no. But you could try any of:

* put the server in question in /etc/hosts, and make sure
nsswitch.conf uses it

* create a separate krb5.conf file setting rdns, and set
$KRB5_CONFIG to the pathname (or that pathname and the system one,
separated by colons, to combine the data in both) when running ssh
(or just ssh to that server), if indeed it's the krb5 library code
messing up when rdns is enabled

* figure out what name the krb5 code thinks the host goes by, give
it service keys under that name, and add a domain_realm mapping that
hostname into your realm

Ken
Joel Johnson
2007-09-18 03:19:26 UTC
Permalink
Post by Ken Raeburn
Post by Joel Johnson
I'm using OpenSSH (4.3p2) on a Linux client to authenticate via GSSAPI with
the gssapi-with-mic SSH mechanism to multiple hosts with an existing
Kerberos infrastructure. The issue I'm having is with a new server which for
various reasons is located on a DSL link with a dynamic IP address. In turn,
I don't have control over the DNS PTR records, so while I have forward
resolution setup properly, I'm unable to setup the correct reverse lookup.
When I attempt to connect to this host with SSH, a ticket request is made
against the KDC for a host ticket using the name obtained by a reverse DNS
lookup name canonicalization which is not defined.
If it's the krb5 library doing that, and the reverse lookup fails to
get a name, it should use the supplied name (as possibly
canonicalized by the getaddrinfo call). Could the ssh code be doing it?
If there's a PTR record defined to point to something in the ISP's
domain, that would certainly break things in the krb5 library.
That's exactly the case, the reverse lookup doesn't fail, but returns
a hostname completely different from what was requested (instead of
host.lixil.net it provides xx.xx.xx.xx.qwest.net).
Post by Ken Raeburn
Post by Joel Johnson
I've found references to the "[libdefaults] rdns = no" entry in krb5.conf,
but I'd rather not set the global setting. Is there any way to disable
reverse DNS on a per host/IP/regex basis?
* put the server in question in /etc/hosts, and make sure
nsswitch.conf uses it
I did that as a test to verify that disabling reverse would solve the
problem. The problem is that since the IP is suceptable to change it
becomes a maintainance nightmare to keep the hosts file in sync.
Post by Ken Raeburn
* create a separate krb5.conf file setting rdns, and set
$KRB5_CONFIG to the pathname (or that pathname and the system one,
separated by colons, to combine the data in both) when running ssh
(or just ssh to that server), if indeed it's the krb5 library code
messing up when rdns is enabled
I've verified that with the rdns setting it functions as expected,
while without the rdns entry it breaks. I've additionally verified
this by viewing the host ticket requested on the KDC while SSH stalls.
On the KDC tickets are requested in increasing order of generality,
i.e. first for host/ABQ.QWEST.NET at REALM and then host/QWEST.NET at REALM.
The problem is that the PTR records exists and resolves properly, but
it is not at all what is to be expected.
Post by Ken Raeburn
* figure out what name the krb5 code thinks the host goes by, give
it service keys under that name, and add a domain_realm mapping that
hostname into your realm
Also fairly ugly, but could be lightened a bit with some manual realm
mappings... I'll have to think about this one, but I'll just leave
the rdns disabled for now.

Thanks for the input and verifying what I thought.

Joel

Loading...