Red Hat Bugzilla – Bug 635440
The auto adding of the hostname to /etc/hosts breaks SSH GSSAPI
Last modified: 2011-01-11 14:36:22 EST
Description of problem:
There has been a recent change to NetworkManager that causes it to add the hostname and IP address of the machine to /etc/hosts e.g
10.50.54.226 fedoratest # Added by NetworkManager
This breaks GSSAPI Kerberos authentication to sshd. This is because Kerberos relies on fully qualified names to work (and consistency between forward and reverse resolves).
Some may say you should set the hostname of your machine to be fully qualified. I believe this is however the incorrect thing to do (no idea what the recommendation is in RHEL docs). Not only is it ugly, but on a large corporate (perhaps global) network there may well be multiple DNS zones in use and so a machine booted will have no way of knowing which zone it's on (so it shouldn't be fixed on the machine), it will be registered in DNS by a DHCP server on the local zone it's currently plugged into. Though this corporate scenario will I guess likely cause issues with your host principles too, off your "home" LAN.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Try to ssh to a machine with NetworkManager which previously had a working setup GSSAPI sshd.
2. Get prompted for a password (you shouldn't)
3. On the machine you are trying to ssh into, remove the Network Manager added line from /etc/hosts
4. Restart sshd service
5. ssh to this machine again.
6. Get straight in without being prompted for a password.
Has this made it into RHEL 6, that may cause quite a few sites to have issues (GSSAPI ssh is pretty common)?
One way around this I'd have thought would probably be to get the GSSAPI/Kerberos libraries to be more forgiving (or more persistent) in finding out the truth of a hosts fully qualified status.
It appears that the adding of the hostname in the ipv6 loopback line:
::1 athena localhost6.localdomain6 localhost6
also breaks GGSAPI.
A work around for this problem is to turn off reverse DNS by setting
'rdns = false' in the libdefaults section in /etc/krb5.conf.
We really need to come up with a real solution for this problem..
I have a workaround of adding a script to /etc/NetworkManager/dispatcher.d/
grep -v "Added by NetworkManager" /etc/hosts | grep -v '^::1' >/etc/hosts.edit
mv -f /etc/hosts.edit /etc/hosts
*** This bug has been marked as a duplicate of bug 648725 ***