[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i cannot understand sshd behavior



Hi,

On Tue, 3 Apr 2007, Douglas E. Engert wrote:

> Andreas Haupt wrote:
>> Hi,
>> 
>> sorry for the delay.
>> 
>> On Tue, 13 Mar 2007, Douglas E. Engert wrote:
>> 
>>>> Does the reverse lookup (mapping ip to fqdn) work? Depending on 
>>>> /etc/nsswitch.conf something like this should give you a fqdn of the 
>>>> desired host name:
>>> 
>>> Why do you thing there is a name mapping going on? You gave
>>> it an explicit IP ti try.
>> 
>> because the ssh client simply does a name lookup if you specify an ip 
>> address. Otherwise this wouldn't work, would it?
>
> ssh does not need the name mapping, it can use the IP number.
> Note the line: "Connecting to 141.34.2.135 [141.34.2.135] port 22".
> Normally it would say "Connecting to fama.ifh.de [141.34.2.135] port 22"
>
> But the GSSAPI should need to map the ip to the name to get a principal
> name of the host to get a service ticket. (Can the heimdal GSS do this?)

OK. Yes, at least version 0.7.2 we are using can do this.

> What does the klist show on the machine where the ssh was run?
>
> Does it have a service ticket for host/fama.ifh.de@IFH.DE
> Or did you create a host principal with the ip number,
> host/141.34.2.135@IFH.DE???

The first one, there are no keys of the second kind here:

Credentials cache: FILE:/tmp/krb5cc_9132_Khqzza
         Principal: ahaupt@IFH.DE

   Issued           Expires          Principal
Apr  3 16:03:58  Apr  4 17:03:58  krbtgt/IFH.DE@IFH.DE
Apr  3 16:03:58  Apr  4 17:03:58  afs@IFH.DE
Apr  3 16:04:02  Apr  4 17:03:58  host/fama.ifh.de@IFH.DE

> Note the security risk here of using the ip number. You are now
> trusting the DNS server to return the correct mapping. If the IP
> is registered to some other site, it will be the other site's DNS
> server responding.

Sure, nevertheless the host key still matches so I'm sure the host I'm 
connecting to is the correct one.

I actually only wanted to help answering the original question why GSSAPI 
authentication works with the hostname but not with the ip address. As the 
gss lib needs to do the reserse lookup somehow, this should be the first 
thing to look at.

Cheers,
Andreas

-- 
| Andreas Haupt                | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen                | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6             | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen             | Fax:    +49/33762/7-7216