1

I have several *nix routers that have multiple IP addresses. They are running WireGuard and BGP to announce two address ranges under two different ASNs. For example: a machine called pis1.us.nodes.<domain> has 111.111.111.111 (public IP used for WireGuard endpoints, not under my ASN), fd3f:a1f1::1 (announced IP under my ASN 1) and 2404:f4c0::1 (announced IP under my ASN 2). To simplify management, I decided to add DNS records to them under a certain pattern: ge-<network name>.<hostname>.

Thus, a machine named pis1.us.nodes.<domain> will have four DNS records:

  • ge-tunnel.pis1.us.nodes.<domain> IN A 111.111.111.111
  • ge-net1.pis1.us.nodes.<domain> IN AAAA fd3f:a1f1::1
  • ge-net2.pis1.us.nodes.<domain> IN AAAA 2404:f4c0::1
  • pis1.us.nodes.<domain> CNAME ge-net2.pis1.us.nodes

I need to access the server using all of these addresses, so just in case one network fails, I can still connect it using SSH and fix it.

The problem is, I am using Kerberos to do SSO. The hostname of that machine is pis1.us.nodes.<domain> and so do its host/ principal in the Kerberos database. I combined SSH with GSSAPI, so whenever I type ssh pis1.us.nodes.<domain> it will work without issues.

However, if I need to connect to the host using any of the ge-xxx domains, SSH will not be able to find that (ge-xxx) principal in the Kerberos database, resulting in an authentication failure.

Do I need to create principals for all of these domain names? Are there better solutions to this case? Thanks a lot.

Improve this question

1 Answer 1

Reset to default
0

  • You could configure reverse DNS for all of your host's IP addresses, pointing to the canonical name. Most non-AD Kerberos implementations always use rDNS as part of the name canonicalization.

    (The rDNS entries do not have to be global; they only need to be visible to the client. As long as the client can look them up, they don't even need to be in DNS – in case you want to put them in /etc/hosts or LDAP ipHost entries.)

  • You could indeed create multiple principals, add all of them to the system keytab, and enable the krb5.conf ignore_acceptor_hostname option – now the service will accept tickets encrypted with any key found in the keytab. (You could use GSSAPIStrictAcceptorCheck in sshd_config, but they do the same thing.)

  • If you're using MIT Kerberos as the KDC, its LDAP backend supports principal aliases (by means of LDAP alias objects) – a single entry can have multiple principal names, sharing the same keys. This would make it enough to have just one keytab entry, although you would still need the "ignore acceptor" options above.

    (The file DB backend in MIT Krb5 does not support aliases, only the kldap backend does. Heimdal Kerberos seems to have modify --alias in kadmin.)

    When using Active Directory as the KDC, multiple servicePrincipalName attributes can be assigned to the same account; AD already relies heavily on this.

  • You could trick the SSH client by always specifying the canonical name of the server, but using ProxyCommand to establish a socket to a different address than the domain name actually points to.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .