[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i cannot understand sshd behavior

Andreas Haupt wrote:
> Hi,
> On Tue, 3 Apr 2007, Douglas E. Engert wrote:
>> Andreas Haupt wrote:
>>> Hi,
>>> sorry for the delay.
>>> On Tue, 13 Mar 2007, Douglas E. Engert wrote:
>>>>> Does the reverse lookup (mapping ip to fqdn) work? Depending on 
>>>>> /etc/nsswitch.conf something like this should give you a fqdn of 
>>>>> the desired host name:
>>>> Why do you thing there is a name mapping going on? You gave
>>>> it an explicit IP ti try.
>>> because the ssh client simply does a name lookup if you specify an ip 
>>> address. Otherwise this wouldn't work, would it?
>> ssh does not need the name mapping, it can use the IP number.
>> Note the line: "Connecting to [] port 22".
>> Normally it would say "Connecting to fama.ifh.de [] port 22"
>> But the GSSAPI should need to map the ip to the name to get a principal
>> name of the host to get a service ticket. (Can the heimdal GSS do this?)
> OK. Yes, at least version 0.7.2 we are using can do this.
>> What does the klist show on the machine where the ssh was run?
>> Does it have a service ticket for host/fama.ifh.de@IFH.DE
>> Or did you create a host principal with the ip number,
>> host/
> The first one, there are no keys of the second kind here:
> Credentials cache: FILE:/tmp/krb5cc_9132_Khqzza
>         Principal: ahaupt@IFH.DE
>   Issued           Expires          Principal
> Apr  3 16:03:58  Apr  4 17:03:58  krbtgt/IFH.DE@IFH.DE
> Apr  3 16:03:58  Apr  4 17:03:58  afs@IFH.DE
> Apr  3 16:04:02  Apr  4 17:03:58  host/fama.ifh.de@IFH.DE
>> Note the security risk here of using the ip number. You are now
>> trusting the DNS server to return the correct mapping. If the IP
>> is registered to some other site, it will be the other site's DNS
>> server responding.
> Sure, nevertheless the host key still matches so I'm sure the host I'm 
> connecting to is the correct one.

Only if you distributed the the host keys out of band, and not just
accepted the key on the first connection.

> I actually only wanted to help answering the original question why 
> GSSAPI authentication works with the hostname but not with the ip 
> address. As the gss lib needs to do the reserse lookup somehow, this 
> should be the first thing to look at.
> Cheers,
> Andreas


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444