>>>>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users >>>>>connecting to >>>>>Linux servers from their domain-joined workstations are not required to >>>>>enter a >>>>>password for the first connection. However, if they attempt to ssh to a >>>>>second >>>>>Linux machine from the first they are being prompted for a password. >>>>> >>>>>I've tried the following /etc/ssh/ssh_config options: >>>>> >>>>> GSSAPIDelegateCredentials yes >>>>> GSSAPIKeyExchange yes >>>>> GSSAPIRenewalForcesRekey yes >>>>> GSSAPITrustDns yes >>>>> >>>>>And the following /etc/ssh/sshd_config options: >>>>> >>>>> GSSAPIAuthentication yes >>>>> GSSAPIKeyExchange yes >>>>> GSSAPIStoreCredentialsOnRekey yes >>>>> >>>>>Am I missing a step/configuration? >>> >>>> They need to allow delegation on the machine where their first hop >>>> starts, not only on your jump server. >>> >>>Both the first hop and subsequent servers have those settings. > >> I'm not talking about servers. It starts with the client machines. >> If server never got delegated credentials, how could it be a client that >> delegates them further? That original client has to allow delegation >> in first place. > > Do you know how I can validate that is working (such as, will something show > up > in a klist)? I'm using PuTTY 0.67 as my Windows ssh client and have the > "Allow > GSSAPI credential delegation" box checked, but some quick Googling is > suggesting that may not be enough.
Okay, I missed something REALLY basic. :-( In my SSH client configuration I didn't have "GSSAPIAuthentication yes", and the default is "no". The key exchange doesn't work, but gssapi-with-mic does. Here's an excerpt from "ssh -vvv": debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Authenticated to sl1mmgplsat0001 (via proxy). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project