[Freeipa-users] GSSAPI for second hop (SSH)
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 3 19:56:47 UTC 2017
On pe, 03 maalis 2017, Jason B. Nance wrote:
>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
>>>Linux servers from their domain-joined workstations are not required to enter a
>>>password for the first connection. However, if they attempt to ssh to a second
>>>Linux machine from the first they are being prompted for a password.
>>>
>>>I've tried the following /etc/ssh/ssh_config options:
>>>
>>> GSSAPIDelegateCredentials yes
>>> GSSAPIKeyExchange yes
>>> GSSAPIRenewalForcesRekey yes
>>> GSSAPITrustDns yes
>>>
>>>And the following /etc/ssh/sshd_config options:
>>>
>>> GSSAPIAuthentication yes
>>> GSSAPIKeyExchange yes
>>> GSSAPIStoreCredentialsOnRekey yes
>>>
>>>Am I missing a step/configuration?
>
>> They need to allow delegation on the machine where their first hop
>> starts, not only on your jump server.
>
>Both the first hop and subsequent servers have those settings.
I'm not talking about servers. It starts with the client machines.
If server never got delegated credentials, how could it be a client that
delegates them further? That original client has to allow delegation
in first place.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list