Multiple hostnames with same IP address (DNS A record)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple hostnames with same IP address (DNS A record)

petesea
Is it possible to use Kerberos (specifically OpenSSH w/GSSAPI Key
Exchange) on a system with 2 hostnames, but both hostnames have the same
DNS A record and therefore the same IP address?

The problem I'm seeing is OpenSSH using gssapi-keyex authentication only
seems to work part of the time.  The rest of the time I get the following
when ssh'ing from a client to this particular host:

   ...
   debug1: Calling gss_init_sec_context
   debug1: Delegating credentials
   debug1: Received GSSAPI_COMPLETE
   debug1: Calling gss_init_sec_context
   debug1: Delegating credentials
   debug1: An invalid name was supplied
   No error

   gss_init_context failed

I'm guessing this is because the client system is confused because
multiple hostnames are returned from a reverse DNS lookup of the server
IP.

The odd thing about this is it only fails when ssh'ing FROM a linux
(redhat/centos) host.  If the connection comes from an OS X host (10.3,
10.4, 10.5, 10.6) it works 100% of the time.  And, I only have one Solaris
host (2.8), but it seems to work fine from it as well.  The OS X and
Solaris hosts are all using various versions of OpenSSH w/GSSAPI Key
Exchange.

The server is CentOS 4.8 using OpenSSH 5.6 w/GSSAPI Key Exchange.   The
OpenSSH server was built with statically linked Kerberos 1.6.3.

The host has 2 hostnames, but the DNS A record for both hostnames is the
same, so:

   $ host external.example.com
   external.example.com has address 1.2.3.4

   $ host internal.example.com
   internal.example.com has address 1.2.3.4

   $ host 1.2.3.4
   4.3.2.1.in-addr.arpa domain name pointer external.example.com.
   4.3.2.1.in-addr.arpa domain name pointer internal.example.com.

There are "host" principals for both hostnames in /etc/krb5.keytab and
GSSAPIStrictAcceptorCheck is set to "no" in sshd_config.

Is this a bug/deficiency in the standard Kerberos library?  Or a
bug/deficiency in how OpenSSH is using it?  I'm guessing this, only
because it seems to work fine when coming from an OS X host and I
understand OS X uses their own customized Kerberos and/or OpenSSH
implementation.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Multiple hostnames with same IP address (DNS A record)

Brian Candler
On Tue, Apr 26, 2011 at 12:41:31PM -0700, [hidden email] wrote:
>   $ host external.example.com
>   external.example.com has address 1.2.3.4
>
>   $ host internal.example.com
>   internal.example.com has address 1.2.3.4
>
>   $ host 1.2.3.4
>   4.3.2.1.in-addr.arpa domain name pointer external.example.com.
>   4.3.2.1.in-addr.arpa domain name pointer internal.example.com.

I suggest you try having only have a single PTR record, to whatever is the
"primary" hostname.

However what you've done would be acceptable if the machine was multi-homed
(with two different IP addresses):
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbdns

So I can't say for sure why it shouldn't work as you have it.

> There are "host" principals for both hostnames in /etc/krb5.keytab

Do they have the same key? (Again, it shouldn't matter when
GSSAPIStrictAcceptorCheck is no, but just a thought)

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Multiple hostnames with same IP address (DNS A record)

Greg Hudson
In reply to this post by petesea
On Tue, 2011-04-26 at 15:41 -0400, [hidden email] wrote:
> The odd thing about this is it only fails when ssh'ing FROM a linux
> (redhat/centos) host.  If the connection comes from an OS X host (10.3,
> 10.4, 10.5, 10.6) it works 100% of the time.  And, I only have one Solaris
> host (2.8), but it seems to work fine from it as well.  The OS X and
> Solaris hosts are all using various versions of OpenSSH w/GSSAPI Key
> Exchange.

I'm not entirely sure what's going wrong, but I can explain this part, I
think.  Solaris Kerberos defaults to not doing reverse canonicalization
of hosts, and OSX may do so as well.

> There are "host" principals for both hostnames in /etc/krb5.keytab and
> GSSAPIStrictAcceptorCheck is set to "no" in sshd_config.

I would expect the authentication exchange to work regardless of which
service principal the client chooses, in this configuration.  If you can
get the sshd -d output on the server, there might be some enlightening
information there.  It's conceivable that the client is performing the
canonicalization step twice and getting different answers, but I don't
know what the details of that scenario would be.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Multiple hostnames with same IP address (DNS A record)

Dan Peterson-3
In reply to this post by Brian Candler
On Wed, 27 Apr 2011, Brian Candler wrote:

> I suggest you try having only have a single PTR record, to whatever is
> the "primary" hostname.
>
> However what you've done would be acceptable if the machine was multi-homed
> (with two different IP addresses):

Yes... both are possible options.  Unfortunately I don't control the DNS
and I'm told the DNS is "correct".  I'm trying to convince those that
control the DNS something needs to change, but that's really just a
work-around.  It's not addressing my real question...

I'm trying to understand WHY this doesn't work given the current
situation, ie, 2 hostnames and 1 IP address.

If it works from an OS X client, why doesn't it work from a linux client?

>> There are "host" principals for both hostnames in /etc/krb5.keytab
>
> Do they have the same key? (Again, it shouldn't matter when
> GSSAPIStrictAcceptorCheck is no, but just a thought)

The same "key"?  Not sure what you mean.  They are completely separate
host principals but they are in the same keytab.  This is how I've done it
for a true multi-homed host (ie separate IP addresses) and it works fine.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Multiple hostnames with same IP address (DNS A record)

petesea
In reply to this post by Brian Candler
On Wed, 27 Apr 2011, Brian Candler wrote:

> I suggest you try having only have a single PTR record, to whatever is
> the "primary" hostname.
>
> However what you've done would be acceptable if the machine was
> multi-homed (with two different IP addresses):

Yes... both are possible options.  Unfortunately I don't control the DNS
and I'm told the DNS is "correct".  I'm trying to convince those that
control the DNS something needs to change, but that's really just a
work-around.  It's not addressing my real question...

I'm trying to understand WHY this doesn't work given the current
situation, ie, 2 hostnames and 1 IP address.

If it works from an OS X client, why doesn't it work from a linux client?

> > There are "host" principals for both hostnames in /etc/krb5.keytab
>
> Do they have the same key? (Again, it shouldn't matter when
> GSSAPIStrictAcceptorCheck is no, but just a thought)

The same "key"?  Not sure what you mean.  They are completely separate
host principals but they are in the same keytab.  This is how I've done it
for a true multi-homed host (ie separate IP addresses) and it works fine.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Multiple hostnames with same IP address (DNS A record)

petesea
In reply to this post by Greg Hudson
On Wed, 27 Apr 2011, Greg Hudson wrote:

> I'm not entirely sure what's going wrong, but I can explain this part, I
> think.  Solaris Kerberos defaults to not doing reverse canonicalization
> of hosts, and OSX may do so as well.

Does this happen on Solaris even if the Kerberos used is MIT Kerberos?

This particular solaris client is using OpenSSH 5.0p1 w/gssapi-keyex that
was statically linked with MIT Kerberos 1.6.3.

>> There are "host" principals for both hostnames in /etc/krb5.keytab and
>> GSSAPIStrictAcceptorCheck is set to "no" in sshd_config.
>
> I would expect the authentication exchange to work regardless of which
> service principal the client chooses, in this configuration.  If you can
> get the sshd -d output on the server, there might be some enlightening
> information there.

I have tried sshd -e -ddd, but don't see any clues... at least nothing
that helps me.

>From the server-side it just seems to close the connection.   Here's the
last bit of the debug output from a failed connection:

   ...
   debug2: set_newkeys: mode 1
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug2: monitor_read: 51 used once, disabling now
   debug3: mm_request_receive entering
   Connection closed by 1.2.3.4

And here's that same section of debug output from a successful connection:

   ...
   debug2: set_newkeys: mode 1
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug2: monitor_read: 51 used once, disabling now
   debug3: mm_request_receive entering
   debug2: set_newkeys: mode 0
   debug1: SSH2_MSG_NEWKEYS received
   debug1: KEX done
   ...

> It's conceivable that the client is performing the canonicalization step
> twice and getting different answers, but I don't know what the details
> of that scenario would be.

This is what I've suspected, but not sure how to verify it.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos