1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Strange behavior with mixed case host name/principal

    From Jafar Aliev@tubecleaner@gmail.com to kerberos on Fri Apr 18 19:41:53 2025
    From Newsgroup: comp.protocols.kerberos

    Good day.
    My setup:
    rhel-based distro
    OpenSSH_8.9p1 sshd
    kerberos-libs 1.20.1
    sssd 2.8.2

    Server joined the Windows AD via realm. Authentication from windows
    client (putty 0.71) via password works well, but GSSAPI fails with
    error (sshd logs):

    No credentials were supplied, or the credentials were unavailable or inaccessible\nNo key table entry found matching
    host/SERVER.domain.local@

    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    4 SERVER$@DOMAIN.LOCAL
    4 SERVER$@DOMAIN.LOCAL
    4 host/SERVER@DOMAIN.LOCAL
    4 host/SERVER@DOMAIN.LOCAL
    4 host/SERVER.domain.local@DOMAIN.LOCAL
    4 host/SERVER.domain.local@DOMAIN.LOCAL
    4 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
    4 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
    4 RestrictedKrbHost/SERVER.domain.local@DOMAIN.LOCAL
    4 RestrictedKrbHost/SERVER.domain.local@DOMAIN.LOCAL

    $hostname -f
    SERVER.domain.local

    $dig +short -x <IP>
    SERVER.domain.local

    krb5.conf
    =======
    includedir /etc/krb5.conf.d/
    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_ccache_name = KEYRING:persistent:%{uid}
    default_keytab_name = FILE:/etc/krb5.keytab
    [realms]
    [domain_realm]

    Workarounds with sshd_conf
    GSSAPIStrictAcceptorCheck no
    or krb5.conf
    ignore_acceptor_hostname = true
    work well, but I want to keep a strict hostname check.

    Well, I have found if I using all-small case hostname all works well :

    $hostname -f
    server.domain.local

    $dig +short -x <IP>
    server.domain.local

    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    2 SERVER$@DOMAIN.LOCAL
    2 SERVER$@DOMAIN.LOCAL
    2 host/SERVER@DOMAIN.LOCAL
    2 host/SERVER@DOMAIN.LOCAL
    2 host/server.domain.local@DOMAIN.LOCAL
    2 host/server.domain.local@DOMAIN.LOCAL
    2 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
    2 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
    2 RestrictedKrbHost/server.domain.local@DOMAIN.LOCAL
    2 RestrictedKrbHost/server.domain.local@DOMAIN.LOCAL


    Apr 18 19:37:54 server.domain.local sshd[51224]: Authorized to jafar@domain.local, krb5 principal jafar@DOMAIN.LOCAL
    (ssh_gssapi_krb5_cmdok)
    Apr 18 19:37:55 server.domain.local sshd[51224]: Accepted
    gssapi-with-mic for jafar@domain.local from 10.*.*.* port 57997 ssh2: jafar@DOMAIN.LOCAL
    Apr 18 19:37:55 server.domain.local sshd[51224]:
    pam_unix(sshd:session): session opened for user
    jafar@domain.local(uid=***) by (uid=0)


    Is it predefined behavior or I don't understand something?
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Jafar Aliev@tubecleaner@gmail.com to Ken Hornstein on Fri Apr 18 21:25:37 2025
    From Newsgroup: comp.protocols.kerberos

    Ken, thank you for the fast response.

    Your answer almost fulfills my request. I'll incorporate extra checks
    in our playbooks to strict hostname cases.

    One small splinter will remain: why kerberos lib indicates error with
    exact host principal name that it has in keytab.

    p.s. My old RHEL 7.9 setup also doesn't have this problem: it
    lowercase hostname before requests for tickets.

    On Fri, Apr 18, 2025 at 8:30rC>PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

    Workarounds with sshd_conf
    GSSAPIStrictAcceptorCheck no
    or krb5.conf
    ignore_acceptor_hostname = true
    work well, but I want to keep a strict hostname check.

    Why, exactly? There are a few multi-homed situations where this
    can cause security issues but I don't think they apply here.

    There aren't wonderful solutions for this situation other than turning
    off strict acceptor checking. The DNS is case-PRESERVING, but case-insensitive in lookup, so "SERVER" and "server" are treated as
    being identical when it comes to hostname lookup. RFC 4120 recommends folding names to lowercase; that happens sometimes based on a particular Kerberos implementation (in MIT Kerberos that happens when the hostname
    is canonicalized in the function krb5_sname_to_principal() which is
    called by most higher-level APIs such as the GSSAPI).

    --Ken
    --
    -Y-#-+-+-a-c-e-+-| -+-+-|-|-+-#-+-+-A,
    -o-|-#-a-#-C -E-+-+-|-#
    http://jafar.ru

    --- Synchronet 3.21d-Linux NewsLink 1.2