On 03/20/2015 05:23 PM, nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I assume).
But when I ssh from the first Solaris machine to the 2nd I am prompted
a password instead of being automatically signed in. The strange thing
that it doesn't matter which machine I login to first, it's only the 2nd
hop that asks for a password.
Below are my console recording. ipaclient1 is Linux, ipaclient5 and
ipaclient6 are Solaris.
Login from Linux -> Solaris 1 works without password
Login from Linux -> Solaris 2 works without password
Login from Solaris 1 -> Solaris 2 prompts
Login from Solaris 2 -> Solaris 1 prompts.
You log into Linux and get a TGT . Using that TGT you can log into any
other box (Solaris or otherwise). Unless you are delegating that TGT
with each ssh login you won't have one after the first login to another
system, it will be used for authentication only.
See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd.
Oh I see. Thank you, adding the Delegation line in my /etc/ssh/ssh_config
Two more questions:
I seem to have to add the Delegation line in my Linux clients too.
Dimitri's earlier answer seemed to indicate that the feature was automatic
with the sssd but I still have to do -K or add the line to the config for
it to work. Was he mistaken or was I interpreting his answer wrong?
What I meant to say is that SSSD does kerberos by default. It does not
delegate by default.
So you can hop once.
On Solaris you can't hop at all because there is no Kerberos, the auth
is done using LDAP.
Second Question if you know...
Does Solaris support host key identification the same way Linux does? I
noticed that my Solaris hosts do not get SSHFP entries so I assume I could
possible manually add the host keys and SSHFP entries for it, but there is
not ssh_knownwhosts proxy on Solaris is there?
I do not know.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project