Bugzilla – Bug 4681
Kerberos authentication requires that agent_hostname is set in vsmagent.hconf
Last modified: 2013-06-18 14:02:18
You need to
before you can comment on or make changes to this bug.
Otherwise, ssh is connecting to an IP address and doesn't know the realm. We
should try to avoid this requirement, perhaps by passing the realm as an
argument to ssh.
The original comment is actually incorrect. SSH needs to know the principal of
the remote server, not just the realm. So the information we get from the
master is insufficient.
The patch referenced in bug 4707 also adds support for doing a reverse lookup
of the ip address to figure out the principal. Not sure about the security
implications of doing that though, and it is disabled by default.
Things are apparently a bit more odd that we first suspected. We've found a
system where we can connect to SSH even when using an ip address. We do not yet
know what is different about this system.
We have discovered some things in the process of debugging this though:
1. ssh does indeed give GSSAPI the ip address for the requested token name
2. GSSAPI (at least MIT's) will by itself do a reverse lookup and use that when
requesting a service ticket ("220.127.116.11" => "server.example.com" =>
3. ssh will get a proper service ticket both in the working and non-working
4. Some servers still reject this ticket for unknown reasons.
More confusion. I cannot reproduce this problem on Linux, but it does happen on
There is however a setting with MIT kerberos that controls this, called "rdns".
It is enabled by default, but some distributions (e.g. Fedora 19) explicitly
disables it. Aaron was using a Fedora 19 for his testing, so that is probably
why he saw the problem initially.
It is also disabled on Windows. No idea if there is a way to enable that