2 fqdn

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

2 fqdn

Antoine Jacoutot
Hello...

I have a stupid question, really.
I have an OpenSSH server that has 2 interfaces. I authenticate to it
with GSSAPI. This server runs an Heimdal KDC.
All is working fine except one little annoyance: on the DNS, this server
has 2 different fqdn that correspond to it's different interfaces.
ie: 192.168.1.1 --> server.domain01.com
     192.168.2.1 --> server.domain02.com

Now, on the server itself, of course I can only set one hostname which
is server.domain01.com.
Using GSSAPI I can only connect to this server using the address
server.domain01.com, if I use server.domain02.com I cannot authenticate
which seams logical since the fqdn is different.

What works:

$ kinit username

username@DOMAIN's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ ssh server.domain01.com

What does not work:

$ kinit username

username@DOMAIN's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ ssh server.domain02.com
Permission denied (gssapi-with-mic)

So, does anyone know if there's a way to use both hostnames and making
GSSAPI works ?
Thanks in advance.

Regards,

Antoine
Reply | Threaded
Open this post in threaded view
|

Re: 2 fqdn

Michael B Allen-4
On Fri, 04 Nov 2005 14:03:56 +0100
Antoine Jacoutot <[hidden email]> wrote:

> Hello...
>
> I have a stupid question, really.
> I have an OpenSSH server that has 2 interfaces. I authenticate to it
> with GSSAPI. This server runs an Heimdal KDC.
> All is working fine except one little annoyance: on the DNS, this server
> has 2 different fqdn that correspond to it's different interfaces.
> ie: 192.168.1.1 --> server.domain01.com
>      192.168.2.1 --> server.domain02.com
>
<snip>
> So, does anyone know if there's a way to use both hostnames and making
> GSSAPI works ?

Did you create both host/[hidden email] and
host/[hidden email] SPNs? Google for "multihomed kdc". No
doubt people have explored this issue before.

But I think a bigger problem with multihomed systems ingeneral is
this will be the services that only accept principals with a hostname
matching that of the primary name of the local machine. Ideally all
services would support the concept of virtual hosting but I seriously
doubt they do consistently. Ssh might though, I don't know.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: 2 fqdn

Antoine Jacoutot
Michael B Allen wrote:
> Did you create both host/[hidden email] and
> host/[hidden email] SPNs? Google for "multihomed kdc". No
> doubt people have explored this issue before.

Oh, yes of course I did... sorry I haven't been clear on that.
And of course I extrated the 2 keys in the server keytab.

> But I think a bigger problem with multihomed systems ingeneral is
> this will be the services that only accept principals with a hostname
> matching that of the primary name of the local machine. Ideally all
> services would support the concept of virtual hosting but I seriously
> doubt they do consistently. Ssh might though, I don't know.

Allright, so this is where the problem lies I guess. OpenSSH does not
seem to play well with GSSAPI and virtual hosting.

Thanks for your input.

Antoine
Reply | Threaded
Open this post in threaded view
|

Re: 2 fqdn

Markus Moeller
In reply to this post by Antoine Jacoutot
Antoine,

have a look on bugzilla.mindrot.org
(http://bugzilla.mindrot.org/show_bug.cgi?id=928). I added a bug report with a
patch sometime ago regarding this issue. Find attached a patch for 4.2p1

Regards
Markus

On Fri Nov  4 17:06 , Antoine Jacoutot <[hidden email]> sent:

>Michael B Allen wrote:
>> Did you create both host/[hidden email] and
>> host/[hidden email] SPNs? Google for "multihomed kdc". No
>> doubt people have explored this issue before.
>
>Oh, yes of course I did... sorry I haven't been clear on that.
>And of course I extrated the 2 keys in the server keytab.
>
>> But I think a bigger problem with multihomed systems ingeneral is
>> this will be the services that only accept principals with a hostname
>> matching that of the primary name of the local machine. Ideally all
>> services would support the concept of virtual hosting but I seriously
>> doubt they do consistently. Ssh might though, I don't know.
>
>Allright, so this is where the problem lies I guess. OpenSSH does not
>seem to play well with GSSAPI and virtual hosting.
>
>Thanks for your input.
>
>Antoine


openssh4.2p1multi.patch (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2 fqdn

Craig Huckabee
In reply to this post by Antoine Jacoutot
Antoine Jacoutot wrote:

> Michael B Allen wrote:
>
>> But I think a bigger problem with multihomed systems ingeneral is
>> this will be the services that only accept principals with a hostname
>> matching that of the primary name of the local machine. Ideally all
>> services would support the concept of virtual hosting but I seriously
>> doubt they do consistently. Ssh might though, I don't know.
>
>
> Allright, so this is where the problem lies I guess. OpenSSH does not
> seem to play well with GSSAPI and virtual hosting.


There are patches available to OpenSSH that make it use the name of the
port that the connection comes in on for just this sort of situation.


--Craig

Reply | Threaded
Open this post in threaded view
|

Re: 2 fqdn

Antoine Jacoutot
In reply to this post by Markus Moeller
Markus Moeller wrote:
> have a look on bugzilla.mindrot.org
> (http://bugzilla.mindrot.org/show_bug.cgi?id=928). I added a bug report with a
> patch sometime ago regarding this issue. Find attached a patch for 4.2p1

Fantastic, thank you very much for that :)
And thanks to Craig Huckabee who also told me about the patch.

Regards,

Antoine