635440 – The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI

Bug 635440 - The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI

Summary: The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI

Keywords:
Status:	CLOSED DUPLICATE of bug 648725
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	NetworkManager
Sub Component:
Version:	14
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Dan Williams
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-19 18:35 UTC by Colin.Simpson
Modified:	2011-01-11 19:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-01-10 23:00:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Colin.Simpson 2010-09-19 18:35:53 UTC

Description of problem:

There has been a recent change to NetworkManager that causes it to add the hostname and IP address of the machine to /etc/hosts e.g

10.50.54.226 fedoratest # Added by NetworkManager

This breaks GSSAPI Kerberos authentication to sshd. This is because Kerberos relies on fully qualified names to work (and consistency between forward and reverse resolves).

Some may say you should set the hostname of your machine to be fully qualified. I believe this is however the incorrect thing to do (no idea what the recommendation is in RHEL docs). Not only is it ugly, but on a large corporate (perhaps global) network there may well be multiple DNS zones in use and so a machine booted will have no way of knowing which zone it's on (so it shouldn't be fixed on the machine), it will be registered in DNS by a DHCP server on the local zone it's currently plugged into. Though this corporate scenario will I guess likely cause issues with your host principles too, off your "home" LAN.

Version-Release number of selected component (if applicable):
NetworkManager-0.8.1-6.git20100831.fc13.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Try to ssh to a machine with NetworkManager which previously had a working setup GSSAPI sshd.
2. Get prompted for a password (you shouldn't)
3. On the machine you are trying to ssh into, remove the Network Manager added line from /etc/hosts
4. Restart sshd service
5. ssh to this machine again.
6. Get straight in without being prompted for a password.

Additional info:

Has this made it into RHEL 6, that may cause quite a few sites to have issues (GSSAPI ssh is pretty common)?

One way around this I'd have thought would probably be to get the GSSAPI/Kerberos libraries to be more forgiving (or more persistent) in finding out the truth of a hosts fully qualified status.

Comment 1 Orion Poplawski 2011-01-04 20:39:08 UTC

It appears that the adding of the hostname in the ipv6 loopback line:

::1     athena  localhost6.localdomain6 localhost6

also breaks GGSAPI.

Comment 2 Steve Dickson 2011-01-05 20:30:42 UTC

A work around for this problem is to turn off reverse DNS by setting
'rdns = false' in the libdefaults section in /etc/krb5.conf.

We really need to come up with a real solution for this problem..

Comment 3 Colin.Simpson 2011-01-06 10:23:30 UTC

I have a workaround of adding a script to /etc/NetworkManager/dispatcher.d/

grep -v "Added by NetworkManager" /etc/hosts | grep -v '^::1' >/etc/hosts.edit
mv -f /etc/hosts.edit /etc/hosts

Comment 4 Dan Williams 2011-01-10 23:00:48 UTC


*** This bug has been marked as a duplicate of bug 648725 ***

Note You need to log in before you can comment on or make changes to this bug.