Bug 635440

Summary: The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI
Product: [Fedora] Fedora Reporter: Colin.Simpson
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: csieh, dcbw, orion, rom, steved
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-10 18:00:48 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Colin.Simpson 2010-09-19 14:35:53 EDT
Description of problem:

There has been a recent change to NetworkManager that causes it to add the hostname and IP address of the machine to /etc/hosts e.g	fedoratest	# Added by NetworkManager

This breaks GSSAPI Kerberos authentication to sshd. This is because Kerberos relies on fully qualified names to work (and consistency between forward and reverse resolves). 

Some may say you should set the hostname of your machine to be fully qualified.  I believe this is however the incorrect thing to do (no idea what the recommendation is in RHEL docs). Not only is it ugly, but on a large corporate (perhaps global) network there may well be multiple DNS zones in use and so a machine booted will have no way of knowing which zone it's on (so it shouldn't be fixed on the machine), it will be registered in DNS by a DHCP server on the local zone it's currently plugged into. Though this corporate scenario will I guess likely cause issues with your host principles too, off your "home" LAN.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Try to ssh to a machine with NetworkManager which previously had a working setup GSSAPI sshd.
2. Get prompted for a password (you shouldn't)
3. On the machine you are trying to ssh into, remove the Network Manager added line from /etc/hosts
4. Restart sshd service
5. ssh to this machine again.
6. Get straight in without being prompted for a password.
Additional info:

Has this made it into RHEL 6, that may cause quite a few sites to have issues (GSSAPI ssh is pretty common)?

One way around this I'd have thought would probably be to get the GSSAPI/Kerberos libraries to be more forgiving (or more persistent) in finding out the truth of a hosts fully qualified status.
Comment 1 Orion Poplawski 2011-01-04 15:39:08 EST
It appears that the adding of the hostname in the ipv6 loopback line:

::1     athena  localhost6.localdomain6 localhost6

also breaks GGSAPI.
Comment 2 Steve Dickson 2011-01-05 15:30:42 EST
A work around for this problem is to turn off reverse DNS by setting
'rdns = false' in the libdefaults section in /etc/krb5.conf.

We really need to come up with a real solution for this problem..
Comment 3 Colin.Simpson 2011-01-06 05:23:30 EST
I have a workaround of adding a script to /etc/NetworkManager/dispatcher.d/

grep -v "Added by NetworkManager" /etc/hosts | grep -v '^::1' >/etc/hosts.edit
mv -f /etc/hosts.edit /etc/hosts
Comment 4 Dan Williams 2011-01-10 18:00:48 EST

*** This bug has been marked as a duplicate of bug 648725 ***