Simon Wilkinson wrote: > >If so, why does the available name depend on the `hostname` setting > >without any change in the DNS?
> Because the server picks the acceptor principal to use for incoming > connections by resolving the machine's hostname. You can disable > this behaviour, and permit any principal[1] whose key is in the > default keytab by using a recent version, and setting > GSSAPIStrictAcceptorCheck to 'no' The FreeBSD sshd does not seem to have this option. However, I think I have found an alternative solution after reading the Kerberos FAQ. I have created for the server a DNS name with multiple A RRs. If one of the IP addresses becomes unreachable, the ssh client begins to try other addresses in turn until it eventually connects. In this setup, GSSAPI auth always works because the hostname is the same. I wonder if browsers, MUAs and other client applications are also expected to try each IP address until success, but this is already another story. [dd] -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
