[Freeipa-users] [solved] Re: GSSAPI for second hop (SSH)

Jason B. Nance jason at tresgeek.net
Fri Mar 3 20:29:25 UTC 2017 

>>>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users connecting to
>>>>>Linux servers from their domain-joined workstations are not required to enter a
>>>>>password for the first connection.  However, if they attempt to ssh to a second
>>>>>Linux machine from the first they are being prompted for a password.
>>>>>
>>>>>I've tried the following /etc/ssh/ssh_config options:
>>>>>
>>>>>    GSSAPIDelegateCredentials yes
>>>>>    GSSAPIKeyExchange yes
>>>>>    GSSAPIRenewalForcesRekey yes
>>>>>    GSSAPITrustDns yes
>>>>>
>>>>>And the following /etc/ssh/sshd_config options:
>>>>>
>>>>>    GSSAPIAuthentication yes
>>>>>    GSSAPIKeyExchange yes
>>>>>    GSSAPIStoreCredentialsOnRekey yes
>>>>>
>>>>>Am I missing a step/configuration?
>>>
>>>> They need to allow delegation on the machine where their first hop
>>>> starts, not only on your jump server.
>>>
>>>Both the first hop and subsequent servers have those settings.
> 
>> I'm not talking about servers. It starts with the client machines.
>> If server never got delegated credentials, how could it be a client that
>> delegates them further? That original client has to allow delegation
>> in first place.
> 
> Do you know how I can validate that is working (such as, will something show up
> in a klist)?  I'm using PuTTY 0.67 as my Windows ssh client and have the "Allow
> GSSAPI credential delegation" box checked, but some quick Googling is
> suggesting that may not be enough.

Okay, I missed something REALLY basic.  :-(  In my SSH client configuration I didn't have "GSSAPIAuthentication yes", and the default is "no".  The key exchange doesn't work, but gssapi-with-mic does.  Here's an excerpt from "ssh -vvv":

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to sl1mmgplsat0001 (via proxy).

More information about the Freeipa-users mailing list