>>>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users 
>>>>>connecting to
>>>>>Linux servers from their domain-joined workstations are not required to 
>>>>>enter a
>>>>>password for the first connection.  However, if they attempt to ssh to a 
>>>>>Linux machine from the first they are being prompted for a password.
>>>>>I've tried the following /etc/ssh/ssh_config options:
>>>>>    GSSAPIDelegateCredentials yes
>>>>>    GSSAPIKeyExchange yes
>>>>>    GSSAPIRenewalForcesRekey yes
>>>>>    GSSAPITrustDns yes
>>>>>And the following /etc/ssh/sshd_config options:
>>>>>    GSSAPIAuthentication yes
>>>>>    GSSAPIKeyExchange yes
>>>>>    GSSAPIStoreCredentialsOnRekey yes
>>>>>Am I missing a step/configuration?
>>>> They need to allow delegation on the machine where their first hop
>>>> starts, not only on your jump server.
>>>Both the first hop and subsequent servers have those settings.
>> I'm not talking about servers. It starts with the client machines.
>> If server never got delegated credentials, how could it be a client that
>> delegates them further? That original client has to allow delegation
>> in first place.
> Do you know how I can validate that is working (such as, will something show 
> up
> in a klist)?  I'm using PuTTY 0.67 as my Windows ssh client and have the 
> "Allow
> GSSAPI credential delegation" box checked, but some quick Googling is
> suggesting that may not be enough.

Okay, I missed something REALLY basic.  :-(  In my SSH client configuration I 
didn't have "GSSAPIAuthentication yes", and the default is "no".  The key 
exchange doesn't work, but gssapi-with-mic does.  Here's an excerpt from "ssh 

debug3: preferred 
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to sl1mmgplsat0001 (via proxy).

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to