[Freeipa-users] [solved] Re: GSSAPI for second hop (SSH)
Jason B. Nance
jason at tresgeek.net
Fri Mar 3 20:29:25 UTC 2017
>>>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
>>>>>Linux servers from their domain-joined workstations are not required to enter a
>>>>>password for the first connection. However, if they attempt to ssh to a second
>>>>>Linux machine from the first they are being prompted for a password.
>>>>>
>>>>>I've tried the following /etc/ssh/ssh_config options:
>>>>>
>>>>> GSSAPIDelegateCredentials yes
>>>>> GSSAPIKeyExchange yes
>>>>> GSSAPIRenewalForcesRekey yes
>>>>> GSSAPITrustDns yes
>>>>>
>>>>>And the following /etc/ssh/sshd_config options:
>>>>>
>>>>> GSSAPIAuthentication yes
>>>>> GSSAPIKeyExchange yes
>>>>> GSSAPIStoreCredentialsOnRekey yes
>>>>>
>>>>>Am I missing a step/configuration?
>>>
>>>> They need to allow delegation on the machine where their first hop
>>>> starts, not only on your jump server.
>>>
>>>Both the first hop and subsequent servers have those settings.
>
>> I'm not talking about servers. It starts with the client machines.
>> If server never got delegated credentials, how could it be a client that
>> delegates them further? That original client has to allow delegation
>> in first place.
>
> Do you know how I can validate that is working (such as, will something show up
> in a klist)? I'm using PuTTY 0.67 as my Windows ssh client and have the "Allow
> GSSAPI credential delegation" box checked, but some quick Googling is
> suggesting that may not be enough.
Okay, I missed something REALLY basic. :-( In my SSH client configuration I didn't have "GSSAPIAuthentication yes", and the default is "no". The key exchange doesn't work, but gssapi-with-mic does. Here's an excerpt from "ssh -vvv":
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to sl1mmgplsat0001 (via proxy).
More information about the Freeipa-users
mailing list