On Tue, 2011-04-26 at 15:41 -0400, [email protected] wrote: > The odd thing about this is it only fails when ssh'ing FROM a linux > (redhat/centos) host. If the connection comes from an OS X host (10.3, > 10.4, 10.5, 10.6) it works 100% of the time. And, I only have one Solaris > host (2.8), but it seems to work fine from it as well. The OS X and > Solaris hosts are all using various versions of OpenSSH w/GSSAPI Key > Exchange.
I'm not entirely sure what's going wrong, but I can explain this part, I think. Solaris Kerberos defaults to not doing reverse canonicalization of hosts, and OSX may do so as well. > There are "host" principals for both hostnames in /etc/krb5.keytab and > GSSAPIStrictAcceptorCheck is set to "no" in sshd_config. I would expect the authentication exchange to work regardless of which service principal the client chooses, in this configuration. If you can get the sshd -d output on the server, there might be some enlightening information there. It's conceivable that the client is performing the canonicalization step twice and getting different answers, but I don't know what the details of that scenario would be. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
