Hello FreeIPA Community, I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611.
Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a passwordless manner (Single Sign On (SSO)) as long as I use their hostnames. Example relevant output from the SSH client verbose mode is: [email protected]$ ssh -v host-2.example.com ... debug1: Authentication succeeded (gssapi-with-mic). ... [email protected]$ However, if I try to SSH to the same host using its (fixed) IP address rather than its hostname, SSO does not succeed as an authentication method, and the client falls back to keyboard-interactive, prompting me for a password, as can be seen here: [email protected]$ ssh -v 10.10.10.5 ... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server host/[email protected] not found in Kerberos database debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: keyboard-interactive Password: We have in-house code that performs remote command execution via SSH. We've made sure our code always uses hostnames to avoid this problem. (Being prompted for a password kills the automation we're trying to achieve.) We also use some external code (over which we have no control and are not permitted to modify), and that code also performs remote command execution via SSH. Unfortunately, however, it does so using an *IP address*, rather than a hostname, as a destination. For this reason, we need FreeIPA's SSO SSH capability to work when SSHing to a host via that host's IP address. Is this possible and, if so, how would it be accomplished? Thanks, Dave _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
