Multiple hostnames with same IP address (DNS A record)

Tue, 26 Apr 2011 12:44:58 -0700 

Is it possible to use Kerberos (specifically OpenSSH w/GSSAPI Key 
Exchange) on a system with 2 hostnames, but both hostnames have the same 
DNS A record and therefore the same IP address?

The problem I'm seeing is OpenSSH using gssapi-keyex authentication only 
seems to work part of the time.  The rest of the time I get the following 
when ssh'ing from a client to this particular host:

   ...
   debug1: Calling gss_init_sec_context
   debug1: Delegating credentials
   debug1: Received GSSAPI_COMPLETE
   debug1: Calling gss_init_sec_context
   debug1: Delegating credentials
   debug1: An invalid name was supplied
   No error

   gss_init_context failed

I'm guessing this is because the client system is confused because 
multiple hostnames are returned from a reverse DNS lookup of the server 
IP.

The odd thing about this is it only fails when ssh'ing FROM a linux 
(redhat/centos) host.  If the connection comes from an OS X host (10.3, 
10.4, 10.5, 10.6) it works 100% of the time.  And, I only have one Solaris 
host (2.8), but it seems to work fine from it as well.  The OS X and 
Solaris hosts are all using various versions of OpenSSH w/GSSAPI Key 
Exchange.

The server is CentOS 4.8 using OpenSSH 5.6 w/GSSAPI Key Exchange.   The 
OpenSSH server was built with statically linked Kerberos 1.6.3.

The host has 2 hostnames, but the DNS A record for both hostnames is the 
same, so:

   $ host external.example.com
   external.example.com has address 1.2.3.4

   $ host internal.example.com
   internal.example.com has address 1.2.3.4

   $ host 1.2.3.4
   4.3.2.1.in-addr.arpa domain name pointer external.example.com.
   4.3.2.1.in-addr.arpa domain name pointer internal.example.com.

There are "host" principals for both hostnames in /etc/krb5.keytab and 
GSSAPIStrictAcceptorCheck is set to "no" in sshd_config.

Is this a bug/deficiency in the standard Kerberos library?  Or a 
bug/deficiency in how OpenSSH is using it?  I'm guessing this, only 
because it seems to work fine when coming from an OS X host and I 
understand OS X uses their own customized Kerberos and/or OpenSSH 
implementation.
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to