[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 1 00:08:40 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=1008





------- Additional Comments From ahaupt at ifh.de  2005-04-01 00:08 -------
(NOTE: this might be a repost as the mail reply ended up with a postix error
message: Diagnostic-Code: X-Postfix; unknown user: "bitbucker")

(In reply to comment #1)
> Is that related to bug #928?

I don't think so. If I understand the patch for bug #928 correctly, it
solves a problem when hosts have more than one ip address / host name. It's
furthermore situated on the server side.

My problem is situated on the client side. The ssh client should obtain the
kerberos ticket for exactly that host it has connected to. With the current
lookup behaviour this is not possible. Round robin dns offers more than one
ip address. These addresses belong to hosts that are completely independent
from each other, except that they share the same ssh keys (ssh_host_rsa_key
et al).

Example:

[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.15.194
pub.iss.ifh.de has address 141.34.1.150
[fuchur] ~ % host pub.ifh.de
pub.ifh.de is an alias for pub.iss.ifh.de.
pub.iss.ifh.de has address 141.34.1.150
pub.iss.ifh.de has address 141.34.15.194
[fuchur] ~ %

Greetings
Andreas



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list