Red Hat Bugzilla – Full Text Bug Listing
|Summary:||The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI|
|Product:||[Fedora] Fedora||Reporter:||Colin Simpson <csimpson>|
|Component:||NetworkManager||Assignee:||Dan Williams <dcbw>|
|Status:||CLOSED DUPLICATE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||14||CC:||csieh, dcbw, orion, rom, steved|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-01-10 18:00:48 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Colin Simpson 2010-09-19 14:35:53 EDT
Description of problem: There has been a recent change to NetworkManager that causes it to add the hostname and IP address of the machine to /etc/hosts e.g 10.50.54.226 fedoratest # Added by NetworkManager This breaks GSSAPI Kerberos authentication to sshd. This is because Kerberos relies on fully qualified names to work (and consistency between forward and reverse resolves). Some may say you should set the hostname of your machine to be fully qualified. I believe this is however the incorrect thing to do (no idea what the recommendation is in RHEL docs). Not only is it ugly, but on a large corporate (perhaps global) network there may well be multiple DNS zones in use and so a machine booted will have no way of knowing which zone it's on (so it shouldn't be fixed on the machine), it will be registered in DNS by a DHCP server on the local zone it's currently plugged into. Though this corporate scenario will I guess likely cause issues with your host principles too, off your "home" LAN. Version-Release number of selected component (if applicable): NetworkManager-0.8.1-6.git20100831.fc13.x86_64 How reproducible: Every time Steps to Reproduce: 1. Try to ssh to a machine with NetworkManager which previously had a working setup GSSAPI sshd. 2. Get prompted for a password (you shouldn't) 3. On the machine you are trying to ssh into, remove the Network Manager added line from /etc/hosts 4. Restart sshd service 5. ssh to this machine again. 6. Get straight in without being prompted for a password. Additional info: Has this made it into RHEL 6, that may cause quite a few sites to have issues (GSSAPI ssh is pretty common)? One way around this I'd have thought would probably be to get the GSSAPI/Kerberos libraries to be more forgiving (or more persistent) in finding out the truth of a hosts fully qualified status.
Comment 1 Orion Poplawski 2011-01-04 15:39:08 EST
It appears that the adding of the hostname in the ipv6 loopback line: ::1 athena localhost6.localdomain6 localhost6 also breaks GGSAPI.
Comment 2 Steve Dickson 2011-01-05 15:30:42 EST
A work around for this problem is to turn off reverse DNS by setting 'rdns = false' in the libdefaults section in /etc/krb5.conf. We really need to come up with a real solution for this problem..
Comment 3 Colin Simpson 2011-01-06 05:23:30 EST
I have a workaround of adding a script to /etc/NetworkManager/dispatcher.d/ grep -v "Added by NetworkManager" /etc/hosts | grep -v '^::1' >/etc/hosts.edit mv -f /etc/hosts.edit /etc/hosts