[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i cannot understand sshd behavior





Andreas Haupt wrote:
> Hi,
> 
> On Tue, 3 Apr 2007, Douglas E. Engert wrote:
> 
>> Andreas Haupt wrote:
>>> Hi,
>>>
>>> sorry for the delay.
>>>
>>> On Tue, 13 Mar 2007, Douglas E. Engert wrote:
>>>
>>>>> Does the reverse lookup (mapping ip to fqdn) work? Depending on 
>>>>> /etc/nsswitch.conf something like this should give you a fqdn of 
>>>>> the desired host name:
>>>>
>>>> Why do you thing there is a name mapping going on? You gave
>>>> it an explicit IP ti try.
>>>
>>> because the ssh client simply does a name lookup if you specify an ip 
>>> address. Otherwise this wouldn't work, would it?
>>
>> ssh does not need the name mapping, it can use the IP number.
>> Note the line: "Connecting to 141.34.2.135 [141.34.2.135] port 22".
>> Normally it would say "Connecting to fama.ifh.de [141.34.2.135] port 22"
>>
>> But the GSSAPI should need to map the ip to the name to get a principal
>> name of the host to get a service ticket. (Can the heimdal GSS do this?)
> 
> OK. Yes, at least version 0.7.2 we are using can do this.
> 
>> What does the klist show on the machine where the ssh was run?
>>
>> Does it have a service ticket for host/fama.ifh.de@IFH.DE
>> Or did you create a host principal with the ip number,
>> host/141.34.2.135@IFH.DE???
> 
> The first one, there are no keys of the second kind here:
> 
> Credentials cache: FILE:/tmp/krb5cc_9132_Khqzza
>         Principal: ahaupt@IFH.DE
> 
>   Issued           Expires          Principal
> Apr  3 16:03:58  Apr  4 17:03:58  krbtgt/IFH.DE@IFH.DE
> Apr  3 16:03:58  Apr  4 17:03:58  afs@IFH.DE
> Apr  3 16:04:02  Apr  4 17:03:58  host/fama.ifh.de@IFH.DE
> 
>> Note the security risk here of using the ip number. You are now
>> trusting the DNS server to return the correct mapping. If the IP
>> is registered to some other site, it will be the other site's DNS
>> server responding.
> 
> Sure, nevertheless the host key still matches so I'm sure the host I'm 
> connecting to is the correct one.

Only if you distributed the the host keys out of band, and not just
accepted the key on the first connection.

> 
> I actually only wanted to help answering the original question why 
> GSSAPI authentication works with the hostname but not with the ip 
> address. As the gss lib needs to do the reserse lookup somehow, this 
> should be the first thing to look at.
> 
> Cheers,
> Andreas
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444