Admittedly, this may be a crazy idea. But I've got kerberized SSH working, as long as FQDNs are resolvable via /etc/hosts or DNS. I'm investigating the possibility of using mDNS for host resolution, using Avahi.
It seems that an SSH client does a DNS resolution, then a reverse, to determine the FQDN in order to find the server in Kerberos. The initial resolution to the IP works fine, the reverse is returning the mDNS name (hostname.local) instead of the FQDN, which doesn't exist in kerberos. As I see it, there are a few workarounds: - Trick Avahi to return the FQDN. Not sure how do-able this is. - Trick Kerberos to map hostname.local to the FQDN. I can map a domain to a particular realm, but I can't figure out how to map a domain to a principal name inside that realm. - Add the mDNS hostnames as Kerberos principals (host/hostname.local@REALM). Not sure if this would work or not. Thoughts? Other bright ideas? Thanks, Norman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
