[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i cannot understand sshd behavior

To: Andreas Haupt <ahaupt@ifh.de>
Subject: Re: i cannot understand sshd behavior
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Tue, 03 Apr 2007 09:51:45 -0500
CC: heimdal-discuss@sics.se, Gustavo Rios <rios.gustavo@gmail.com>
In-Reply-To: <Pine.LNX.4.64.0704031604090.7313@fuchur.ifh.de>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <ad30fc090703120922q1b436e08ud8ec334139c40820@mail.gmail.com> <Pine.LNX.4.64.0703131003530.25909@fuchur.ifh.de> <45F6BCDB.7000103@anl.gov> <Pine.LNX.4.64.0704031506200.7313@fuchur.ifh.de> <46125CE9.3060103@anl.gov> <Pine.LNX.4.64.0704031604090.7313@fuchur.ifh.de>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)



Andreas Haupt wrote:
> Hi,
> 
> On Tue, 3 Apr 2007, Douglas E. Engert wrote:
> 
>> Andreas Haupt wrote:
>>> Hi,
>>>
>>> sorry for the delay.
>>>
>>> On Tue, 13 Mar 2007, Douglas E. Engert wrote:
>>>
>>>>> Does the reverse lookup (mapping ip to fqdn) work? Depending on 
>>>>> /etc/nsswitch.conf something like this should give you a fqdn of 
>>>>> the desired host name:
>>>>
>>>> Why do you thing there is a name mapping going on? You gave
>>>> it an explicit IP ti try.
>>>
>>> because the ssh client simply does a name lookup if you specify an ip 
>>> address. Otherwise this wouldn't work, would it?
>>
>> ssh does not need the name mapping, it can use the IP number.
>> Note the line: "Connecting to 141.34.2.135 [141.34.2.135] port 22".
>> Normally it would say "Connecting to fama.ifh.de [141.34.2.135] port 22"
>>
>> But the GSSAPI should need to map the ip to the name to get a principal
>> name of the host to get a service ticket. (Can the heimdal GSS do this?)
> 
> OK. Yes, at least version 0.7.2 we are using can do this.
> 
>> What does the klist show on the machine where the ssh was run?
>>
>> Does it have a service ticket for host/fama.ifh.de@IFH.DE
>> Or did you create a host principal with the ip number,
>> host/141.34.2.135@IFH.DE???
> 
> The first one, there are no keys of the second kind here:
> 
> Credentials cache: FILE:/tmp/krb5cc_9132_Khqzza
>         Principal: ahaupt@IFH.DE
> 
>   Issued           Expires          Principal
> Apr  3 16:03:58  Apr  4 17:03:58  krbtgt/IFH.DE@IFH.DE
> Apr  3 16:03:58  Apr  4 17:03:58  afs@IFH.DE
> Apr  3 16:04:02  Apr  4 17:03:58  host/fama.ifh.de@IFH.DE
> 
>> Note the security risk here of using the ip number. You are now
>> trusting the DNS server to return the correct mapping. If the IP
>> is registered to some other site, it will be the other site's DNS
>> server responding.
> 
> Sure, nevertheless the host key still matches so I'm sure the host I'm 
> connecting to is the correct one.

Only if you distributed the the host keys out of band, and not just
accepted the key on the first connection.

> 
> I actually only wanted to help answering the original question why 
> GSSAPI authentication works with the hostname but not with the ip 
> address. As the gss lib needs to do the reserse lookup somehow, this 
> should be the first thing to look at.
> 
> Cheers,
> Andreas
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- Re: i cannot understand sshd behavior
  - From: Andreas Haupt <ahaupt@ifh.de>
- Re: i cannot understand sshd behavior
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: i cannot understand sshd behavior
  - From: Andreas Haupt <ahaupt@ifh.de>

Prev by Date: Re: i cannot understand sshd behavior
Next by Date: Re: Kerberos authentication and High availability
Prev by thread: Re: i cannot understand sshd behavior
Next by thread: CONGRATULATION CONTACT MR.WILLIAMS SPENCER FOR YOUR CLAIMS!!
Index(es):
- Date
- Thread