[Freeipa-users] GSSAPI for second hop (SSH)
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 3 18:32:27 UTC 2017
On pe, 03 maalis 2017, Jason B. Nance wrote:
>Hello,
>
>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prompted for a password.
>
>I've tried the following /etc/ssh/ssh_config options:
>
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPIRenewalForcesRekey yes
> GSSAPITrustDns yes
>
>And the following /etc/ssh/sshd_config options:
>
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
> GSSAPIStoreCredentialsOnRekey yes
>
>Am I missing a step/configuration?
They need to allow delegation on the machine where their first hop
starts, not only on your jump server.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list