#7724 ssh auth via gssapi fails unless you use FQDN
Opened 5 years ago by adamwill. Modified 5 years ago

Exactly as described in this StackExchange issue, ever since this change to make ipa-client-install set dns_canonicalize_hostname to false in krb5.conf, gssapi auth for ssh connections does not work unless you use the FQDN of the system you want to connect to.

Say our domain is EXAMPLE.COM / example.com, and there's a couple of systems enrolled, test1.example.com and test2.example.com. If you do this from test1:

ssh test2.example.com

and your user is permitted ssh access to test2 by the RBAC policy, gssapi auth will work correctly and you will be logged in. But if you try this:

ssh test2

then it doesn't work. gssapi auth fails. You'll fall through to pubkey / password auth. If you use ssh -vvvv test2, you'll see this:

debug1: Unspecified GSS failure.  Minor code may provide more information
Server host/test2@EXAMPLE.COM not found in Kerberos database

Of note, my system was enrolled to the domain in 2014, and that change is from 2017, so I assume it gets set on upgrade as well as on initial deployment.


The settings are only applied in ipa-client on installation.

It may be that https://bugzilla.redhat.com/show_bug.cgi?id=1481655 changed it.

Ah, yeah, seems likely.

Is it possible to fix this, or should I just go round changing the setting on all my systems? There is no way I'm spending the rest of my life typing ssh www.happyassassin.net instead of just ssh www.

Either you are willingly accepting that DNS spoofing possibility would be part of your setup and thus would change the setting back, or do follow a more secure default. We made a choice for security.

See https://ssimo.org/blog/id_015.html for some details.

The commit message doesn't suggest in any way that this has anything to do with security, though. And that angle isn't suggested anywhere else (e.g. code comments or config file comments) that I can see. The relevance of that blog post to the ssh case I mentioned is not immediately obvious to me.

There is no way I'm spending the rest of my life typing ssh www.happyassassin.net instead of just ssh www.

Just in this specific example, there already exists workaround that is actually safe. ssh_config can be used to provide shortcut name.

Just add to ~/.ssh/config:

Host www
  Hostname www.happyassassin.net

This change would work just on ssh, but solves used example.

Note that with FreeIPA one can add a Kerberos principal alias if 'www' is unique name. See my recent blog on the Kerberos host-based principal resolution in FreeIPA environment: https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/

Login to comment on this ticket.

Metadata