Bug 635440 - The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI
The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI
Status: CLOSED DUPLICATE of bug 648725
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-09-19 14:35 EDT by Colin.Simpson
Modified: 2011-01-11 14:36 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-01-10 18:00:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Colin.Simpson 2010-09-19 14:35:53 EDT
Description of problem:

There has been a recent change to NetworkManager that causes it to add the hostname and IP address of the machine to /etc/hosts e.g	fedoratest	# Added by NetworkManager

This breaks GSSAPI Kerberos authentication to sshd. This is because Kerberos relies on fully qualified names to work (and consistency between forward and reverse resolves). 

Some may say you should set the hostname of your machine to be fully qualified.  I believe this is however the incorrect thing to do (no idea what the recommendation is in RHEL docs). Not only is it ugly, but on a large corporate (perhaps global) network there may well be multiple DNS zones in use and so a machine booted will have no way of knowing which zone it's on (so it shouldn't be fixed on the machine), it will be registered in DNS by a DHCP server on the local zone it's currently plugged into. Though this corporate scenario will I guess likely cause issues with your host principles too, off your "home" LAN.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Try to ssh to a machine with NetworkManager which previously had a working setup GSSAPI sshd.
2. Get prompted for a password (you shouldn't)
3. On the machine you are trying to ssh into, remove the Network Manager added line from /etc/hosts
4. Restart sshd service
5. ssh to this machine again.
6. Get straight in without being prompted for a password.
Additional info:

Has this made it into RHEL 6, that may cause quite a few sites to have issues (GSSAPI ssh is pretty common)?

One way around this I'd have thought would probably be to get the GSSAPI/Kerberos libraries to be more forgiving (or more persistent) in finding out the truth of a hosts fully qualified status.
Comment 1 Orion Poplawski 2011-01-04 15:39:08 EST
It appears that the adding of the hostname in the ipv6 loopback line:

::1     athena  localhost6.localdomain6 localhost6

also breaks GGSAPI.
Comment 2 Steve Dickson 2011-01-05 15:30:42 EST
A work around for this problem is to turn off reverse DNS by setting
'rdns = false' in the libdefaults section in /etc/krb5.conf.

We really need to come up with a real solution for this problem..
Comment 3 Colin.Simpson 2011-01-06 05:23:30 EST
I have a workaround of adding a script to /etc/NetworkManager/dispatcher.d/

grep -v "Added by NetworkManager" /etc/hosts | grep -v '^::1' >/etc/hosts.edit
mv -f /etc/hosts.edit /etc/hosts
Comment 4 Dan Williams 2011-01-10 18:00:48 EST

*** This bug has been marked as a duplicate of bug 648725 ***

Note You need to log in before you can comment on or make changes to this bug.