[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: i cannot understand sshd behavior
Andreas Haupt wrote:
> On Mon, 12 Mar 2007, Gustavo Rios wrote:
>> I have the following sshd_config (relevant part only):
>> GSSAPIAuthentication yes
This says to accept GSSAPI, (usually Kerberos)
>> #GSSAPICleanupCredentials yes
>> KerberosAuthentication yes
This says sshd will accept user and password then try it
with Kerberos using the Kerberos API from within sshd.
>> KerberosGetAFSToken yes
I believe this is older Kerberos v4,(we have AFS but dont use this.)
>> KerberosOrLocalPasswd yes
This says if the user and password don't work with Kerberos,
try the local /etc/passwrd or nis.
>> #KerberosTicketCleanup yes
Cleanup the ticket cahe at logout.
>> When i try to connect to a server by its fqdn no password is request,
>> like in:
>> $ ssh -l sioux foo.my.domain
>> Last login: Mon Mar 12 13:18:22 2007 from 10.0.0.250
>> Naeser's Law:
>> You can make it foolproof, but you can't make it
The ssh should have triedgssapi-with0mic, and sshd accepted it.
>> But, when i try by IP, i get this:
>> $ ssh -l sioux 10.0.0.1
>> firstname.lastname@example.org's password:
>> Last login: Mon Mar 12 13:21:17 2007 from 10.0.0.250
>> "The subspace W inherits the other 8 properties of V. And there aren't
>> even any property taxes."
>> -- J. MacKay, Mathematics 134b
>> Why does it happens?
Two things happen:
ssh will look up the string you used on the command line
in the Host section of the /etc/ssh/ssh_config and your ~/.ssh/config
and apply any parameters such as GSSAPIAuthenticaiton yes
that you may have listed this. This is done before any
Since you give it an IP name, no name mapping will be done,
and GSS will not work and ssh will use the address.
I believe i told sshd explicitly not to request
>> password, didn't i?
*NO* you told it it was OK to accept user and either a
Kerberos or local password!.
> Does the reverse lookup (mapping ip to fqdn) work? Depending on
> /etc/nsswitch.conf something like this should give you a fqdn of the
> desired host name:
Why do you thing there is a name mapping going on? You gave
it an explicit IP ti try.
> [fuchur] ~ % host 10.0.0.1
> Host 126.96.36.199.in-addr.arpa not found: 3(NXDOMAIN)
> PS: "ssh -vvv" is your friend...
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439