On to, 06 syys 2018, Ranbir via FreeIPA-users wrote:
On Thu, 2018-09-06 at 05:08 +0200, Jochen Hein via FreeIPA-users wrote:
You used "ssh ipa01", right? And the host has been enrolleed with
ipa01.theinside.rnr?
Yes.
I have in my ~/.ssh/config:
CanonicalizeHostname always
CanonicalDomains example.org
I can try that. But, it doesn't answer my question: why does GSSAPI
delegation work for some hosts and not others? I'm going to assume I
did something wrong, but I don't know what.
For example, I can ssh from my Fedora desktop to ipa01. I don't have to
use a password or an ssh key because my kerberos ticket allows me
access. Then, from ipa01, I can ssh to anything else in the freeipa
domain without a password or ssh key because GSSAPI delegation allows
me access.
I have some servers where I can login using kerberos tickets from my
Fedora desktop, but GSSAPI delegation fails.
I haven't been able to find a difference between them.
GSSAPI delegation is a client side thing. If you ssh-ed into a server
from a client that allowed GSSAPI delegation, now your server becomes a
client for the next leg. Is that client allows GSSAPI delegation in
itself?
Look at man page for ssh_client:
GSSAPIDelegateCredentials
Forward (delegate) credentials to the server. The default is no.
Do you have
GSSAPIDelegateCredentials yes
on all your servers in /etc/ssh/ssh_config?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
