I've got a Kerberos v5 server set up on a Linux machine, and it's working very well when connecting to other hosts (using samba, ldap or ssh), for which there are principals in my kerberos database.
Can
I use kerberos to authenticate against localhost though? And if
I can, are there reasons why
I shouldn't?
I haven't made a kerberos principal for localhost.
I don't think
I should; instead
I think the principal should resolve to the machine's full hostname. Is that possible?
I'd ideally like a way to configure this on just one server (whether kerberos, DNS, or ssh), but if each machine needs some custom configuration, that'd work too.
e.g $ ssh -v localhost
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/
[email protected] not found in Kerberos database
...
EDIT:
So
I had a bad /etc/hosts file.
If
I remember correctly, the original version
I got with Ubuntu had two 127.0. IP addresses, something like:-
127.0.0.1 localhost
127.0.*1*.1 hostname
For no good reason,
I'd changed mine a long time ago to:
127.0.0.1 localhost
127.0.*0*.1 hostname.example.com hostname
This seemed to work fine with everything until
I tried out ssh with kerberos (a recent endeavour). Somehow this configuration led to sshd resolving the machine's kerberos principal to "host/localhost@\n", which
I suppose makes sense if it uses /etc/hosts for forward and reverse dns lookups in preference to external dns. So
I commented out the latter line, and sshd magically started authenticating with gssapi-with-mic. Awesome. (Then
I investigated localhost and asked the question)
