[Bug 1008] GSSAPI authentication failes with Round Robin DNS hosts
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Aug 19 22:26:57 EST 2006
http://bugzilla.mindrot.org/show_bug.cgi?id=1008
------- Comment #6 from simon at sxw.org.uk 2006-08-19 22:26 -------
Created an attachment (id=1177)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1177&action=view)
Add option to do GSSAPI canonicalization in the client, rather than the
library
Here's the patch.
This creates a new configuration directive 'GSSAPITrustDNS', which if
set, will cause the ssh client to canonicalize the hostname before
passing it to the GSSAPI libraries. As the client caches
canonicalization results, this means that the libraries are always
called with the hostname that the client is connected to.
Whilst GSSAPI libraries perform canonicalization internally, this is
the only way of avoiding the GSSAPI picking a different hostname than
the ssh client. In the long term, GSSAPI implementations should not be
performing canonicalization, and should be using the hostname passed by
the user to request service tickets - but this seems a long way off.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list