Quoth "Mathieu Nantel" <[EMAIL PROTECTED]>:
| I got this issue where most of the kerberized stuff will not work if the
| hostname in the HOSTS files is the non-FQDN version of the one in
| Kerberos and DNS. I.E.:
|
| [HOSTS file]
| 10.1.2.3 myserver
|
| [DNS]
| 10.1.2.3 myserver.mydomain.com
|
| [Kerberos]
| host/myserver.mydomain.com
|
| Is there no way to tell the GSSAPI to use DNS for it's naming
| requirements?
|
| I can't be certain that GSSAPI is the guilty component, but I noticed
| that kerberized rcp and telnet won't refuse the connection in the previously
| mentionned situation. I recall seeing in the Kerberos source that ftp is
| actually named GSS-FTP (hence my accusing finger at GSSAPI).
I hope you're not too put off by all the accusing fingers pointing back
at you! If it weren't for that embarrassing telnet client, they would
have a pretty good case.
I filed a bug report against ftp's DNS, I have probably filed it
every other release since 1.0.5 or so, and I guess it or something
like it may be in service at many sites through various "monster patch"
collections of stuff that MIT gets but won't look at. I'm not at all
sure it would solve your problem. The problem isn't really GSSAPI,
and it turns up in Kerberos clients like Heimdal telnet. All ftp needs
is a "reverse lookup": gethostbyaddr() on the IP address it used for
the connection. That just anticipates the gethostbyaddr() that will
eventually occur in gss_import_name -> krb5_sname_to_principal anyway.
The idea is that IP -> DNS -> IP -> ... is a stable loop, but it has
to start with IP - initial DNS can be a "cluster" name whose "A" records
vary dynamically. At my site, see homer.u.washington.edu, a "host" with
ca. 40 actual host addresses, and there appear to be plenty of other
sites that have hosts like this.
I don't know if it would solve your problem, because when I use /etc/hosts
on NetBSD, gethostbyaddr() returns the short name. But then, telnet
doesn't work for me in this case, either.
You mention ssh in a followup. That can be confusing. The model
ssh uses for its own keys is, like SSL, based on whatever you use for a
host name - because you're storing the keys. Kerberos deals with a 3rd
party for keys and therefore must work the other way. It's confusing
because ssh also supports Kerberos, but at least ssh1 gets that right.
While I'm at it, ftpd should also identify itself based on the IP address
associated with the incoming connection. That would allow it to support
hosts with multiple interfaces, each with a distinct and consistent IP + DNS.
Of course again, telnetd already works, but it isn't a GSSAPI problem.
Donn Cave, [EMAIL PROTECTED]
