[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i cannot understand sshd behavior





Andreas Haupt wrote:
> Hi,
> 
> On Mon, 12 Mar 2007, Gustavo Rios wrote:
> 
>> I have the following sshd_config (relevant part only):
>>
>> GSSAPIAuthentication yes

   This says to accept GSSAPI, (usually Kerberos)

>> #GSSAPICleanupCredentials yes
>> KerberosAuthentication yes

This says sshd will accept user and password then try it
with Kerberos using the Kerberos API from within sshd.

>> KerberosGetAFSToken yes

I believe this is older Kerberos v4,(we have AFS but dont use this.)

>> KerberosOrLocalPasswd yes

This says if the user and password don't work with Kerberos,
try the local /etc/passwrd or nis.

>> #KerberosTicketCleanup yes

Cleanup the ticket cahe at logout.

>>
>>
>> When i try to connect to a server by its fqdn no password is request, 
>> like in:
>>
>> $ ssh -l sioux foo.my.domain
>> Last login: Mon Mar 12 13:18:22 2007 from 10.0.0.250
>> Naeser's Law:
>>       You can make it foolproof, but you can't make it
>> damnfoolproof.
>> $
>>

The ssh should have triedgssapi-with0mic, and sshd accepted it.

>>
>> But, when i try by IP, i get this:
>>
>> $ ssh -l sioux 10.0.0.1
>> sioux@10.0.0.1's password:
>> Last login: Mon Mar 12 13:21:17 2007 from 10.0.0.250
>> "The subspace W inherits the other 8 properties of V. And there aren't
>> even any property taxes."
>>               -- J. MacKay, Mathematics 134b
>> $
>>
>>
>> Why does it happens? 

Two things happen:
  ssh will look up the string you used on the command line
  in the Host section of the /etc/ssh/ssh_config and your ~/.ssh/config
  and apply any parameters such as GSSAPIAuthenticaiton yes
  that you may have listed  this. This is done before any
  name mapping.

  Since you give it an IP name, no name mapping will be done,
  and GSS will not work and ssh will use the address.


I believe i told sshd explicitly not to request
>> password, didn't i?

*NO* you told it it was OK to accept user and either a
Kerberos or local password!.

> 
> Does the reverse lookup (mapping ip to fqdn) work? Depending on 
> /etc/nsswitch.conf something like this should give you a fqdn of the 
> desired host name:

  Why do you thing there is a name mapping going on? You gave
it an explicit IP ti try.

> 
> [fuchur] ~ % host 10.0.0.1
> Host 1.0.0.10.in-addr.arpa not found: 3(NXDOMAIN)
> 
> Cheers,
> Andreas
> 
> PS: "ssh -vvv" is your friend...
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444