On Thu, Dec 20, 2018 at 12:10:37AM +0000, Theese, David C via FreeIPA-users wrote: > Hello FreeIPA Community, > > I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611. > > Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a > passwordless manner (Single Sign On (SSO)) as long as I use their hostnames. > Example relevant output from the SSH client verbose mode is: > > > > [email protected]$ ssh -v host-2.example.com > ... > debug1: Authentication succeeded (gssapi-with-mic). > ... > [email protected]$ > > > However, if I try to SSH to the same host using its (fixed) IP address rather > than its hostname, SSO does not succeed as an authentication method, and the > client falls back to keyboard-interactive, prompting me for a password, as > can be seen here: > > > > [email protected]$ ssh -v 10.10.10.5 > ... > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/[email protected] not found in Kerberos database
Your client is looking for a host principle of host/[email protected], which I think is a clue. > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: keyboard-interactive > Password: > > We have in-house code that performs remote command execution via SSH. We've > made sure our code always uses hostnames to avoid this problem. (Being > prompted for a password kills the automation we're trying to achieve.) > > We also use some external code (over which we have no control and are not > permitted to modify), and that code also performs remote command execution > via SSH. Unfortunately, however, it does so using an *IP address*, rather > than a hostname, as a destination. > > For this reason, we need FreeIPA's SSO SSH capability to work when SSHing to > a host via that host's IP address. > > Is this possible and, if so, how would it be accomplished? I'm guessing you don't have a proper PTR for this host. This is preventing your client from resolving its hosts name, which it need to look-up in the KDC for a service ticket. Try adding a reverse entry for host-2.example.com and try again. Bryan > Thanks, > Dave > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] -- Bryan Mesich Sr. System Administrator DIGI-KEY ELECTRONICS 701 Brooks Ave. South Thief River Falls, MN 56701 USA [email protected] 218.681.8000 x6104 Powered by Linux 3.10.0-862.6.3.el7.x86_64 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
