[Freeipa-users] GSSAPI for second hop (SSH)
Jason B. Nance
jason at tresgeek.net
Fri Mar 3 20:05:42 UTC 2017
>>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
>>>>Linux servers from their domain-joined workstations are not required to enter a
>>>>password for the first connection. However, if they attempt to ssh to a second
>>>>Linux machine from the first they are being prompted for a password.
>>>>
>>>>I've tried the following /etc/ssh/ssh_config options:
>>>>
>>>> GSSAPIDelegateCredentials yes
>>>> GSSAPIKeyExchange yes
>>>> GSSAPIRenewalForcesRekey yes
>>>> GSSAPITrustDns yes
>>>>
>>>>And the following /etc/ssh/sshd_config options:
>>>>
>>>> GSSAPIAuthentication yes
>>>> GSSAPIKeyExchange yes
>>>> GSSAPIStoreCredentialsOnRekey yes
>>>>
>>>>Am I missing a step/configuration?
>>
>>> They need to allow delegation on the machine where their first hop
>>> starts, not only on your jump server.
>>
>>Both the first hop and subsequent servers have those settings.
> I'm not talking about servers. It starts with the client machines.
> If server never got delegated credentials, how could it be a client that
> delegates them further? That original client has to allow delegation
> in first place.
Do you know how I can validate that is working (such as, will something show up in a klist)? I'm using PuTTY 0.67 as my Windows ssh client and have the "Allow GSSAPI credential delegation" box checked, but some quick Googling is suggesting that may not be enough.
Thanks for the insight.
j
More information about the Freeipa-users
mailing list