[Freeipa-users] AD users not getting single sign on (Solaris)
nathan at nathanpeters.com
nathan at nathanpeters.com
Fri Mar 20 21:23:12 UTC 2015
> nathan at nathanpeters.com wrote:
>> I have finally gotten all of my Solaris servers to accept AD users but
>> the
>> behavior is inconsistent.
>>
>> In my FreeIPA domain, I can login to a Linux server and then ssh to the
>> Solaris server and I am automatically logged in because of my Kerberos
>> ticket (I assume).
>>
>> But when I ssh from the first Solaris machine to the 2nd I am prompted
>> for
>> a password instead of being automatically signed in. The strange thing
>> is
>> that it doesn't matter which machine I login to first, it's only the 2nd
>> hop that asks for a password.
>>
>> Below are my console recording. ipaclient1 is Linux, ipaclient5 and
>> ipaclient6 are Solaris.
>> Login from Linux -> Solaris 1 works without password
>> Login from Linux -> Solaris 2 works without password
>> Login from Solaris 1 -> Solaris 2 prompts
>> Login from Solaris 2 -> Solaris 1 prompts.
>>
>> Any ideas?
>
> You log into Linux and get a TGT . Using that TGT you can log into any
> other box (Solaris or otherwise). Unless you are delegating that TGT
> with each ssh login you won't have one after the first login to another
> system, it will be used for authentication only.
>
> See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd.
>
> rob
>
Oh I see. Thank you, adding the Delegation line in my /etc/ssh/ssh_config
fixed that.
Two more questions:
I seem to have to add the Delegation line in my Linux clients too.
Dimitri's earlier answer seemed to indicate that the feature was automatic
with the sssd but I still have to do -K or add the line to the config for
it to work. Was he mistaken or was I interpreting his answer wrong?
Second Question if you know...
Does Solaris support host key identification the same way Linux does? I
noticed that my Solaris hosts do not get SSHFP entries so I assume I could
possible manually add the host keys and SSHFP entries for it, but there is
not ssh_knownwhosts proxy on Solaris is there?
More information about the Freeipa-users
mailing list