[Freeipa-users] GSSAPI for second hop (SSH)
Jason B. Nance
jason at tresgeek.net
Fri Mar 3 19:17:30 UTC 2017
>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
>>Linux servers from their domain-joined workstations are not required to enter a
>>password for the first connection. However, if they attempt to ssh to a second
>>Linux machine from the first they are being prompted for a password.
>>
>>I've tried the following /etc/ssh/ssh_config options:
>>
>> GSSAPIDelegateCredentials yes
>> GSSAPIKeyExchange yes
>> GSSAPIRenewalForcesRekey yes
>> GSSAPITrustDns yes
>>
>>And the following /etc/ssh/sshd_config options:
>>
>> GSSAPIAuthentication yes
>> GSSAPIKeyExchange yes
>> GSSAPIStoreCredentialsOnRekey yes
>>
>>Am I missing a step/configuration?
> They need to allow delegation on the machine where their first hop
> starts, not only on your jump server.
Both the first hop and subsequent servers have those settings.
More information about the Freeipa-users
mailing list