I have several *nix routers that have multiple IP addresses. They are running WireGuard and BGP to announce two address ranges under two different ASNs. For example: a machine called pis1.us.nodes.<domain>
has 111.111.111.111
(public IP used for WireGuard endpoints, not under my ASN), fd3f:a1f1::1
(announced IP under my ASN 1) and 2404:f4c0::1
(announced IP under my ASN 2). To simplify management, I decided to add DNS records to them under a certain pattern: ge-<network name>.<hostname>
.
Thus, a machine named pis1.us.nodes.<domain>
will have four DNS records:
ge-tunnel.pis1.us.nodes.<domain> IN A 111.111.111.111
ge-net1.pis1.us.nodes.<domain> IN AAAA fd3f:a1f1::1
ge-net2.pis1.us.nodes.<domain> IN AAAA 2404:f4c0::1
pis1.us.nodes.<domain> CNAME ge-net2.pis1.us.nodes
I need to access the server using all of these addresses, so just in case one network fails, I can still connect it using SSH and fix it.
The problem is, I am using Kerberos to do SSO. The hostname of that machine is pis1.us.nodes.<domain>
and so do its host/
principal in the Kerberos database. I combined SSH with GSSAPI, so whenever I type ssh pis1.us.nodes.<domain>
it will work without issues.
However, if I need to connect to the host using any of the ge-xxx
domains, SSH will not be able to find that (ge-xxx
) principal in the Kerberos database, resulting in an authentication failure.
Do I need to create principals for all of these domain names? Are there better solutions to this case? Thanks a lot.