Re: [Freeipa-users] GSSAPI for second hop (SSH)
I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prompted for a password. I've tried the following /etc/ssh/ssh_config options: GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes GSSAPITrustDns yes And the following /etc/ssh/sshd_config options: GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes Am I missing a step/configuration? >> >>> They need to allow delegation on the machine where their first hop >>> starts, not only on your jump server. >> >>Both the first hop and subsequent servers have those settings. > I'm not talking about servers. It starts with the client machines. > If server never got delegated credentials, how could it be a client that > delegates them further? That original client has to allow delegation > in first place. Do you know how I can validate that is working (such as, will something show up in a klist)? I'm using PuTTY 0.67 as my Windows ssh client and have the "Allow GSSAPI credential delegation" box checked, but some quick Googling is suggesting that may not be enough. Thanks for the insight. j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPI for second hop (SSH)
On pe, 03 maalis 2017, Jason B. Nance wrote: I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prompted for a password. I've tried the following /etc/ssh/ssh_config options: GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes GSSAPITrustDns yes And the following /etc/ssh/sshd_config options: GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes Am I missing a step/configuration? They need to allow delegation on the machine where their first hop starts, not only on your jump server. Both the first hop and subsequent servers have those settings. I'm not talking about servers. It starts with the client machines. If server never got delegated credentials, how could it be a client that delegates them further? That original client has to allow delegation in first place. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPI for second hop (SSH)
>> I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users >> connecting to Linux servers from their domain-joined workstations are >> not required to enter a password for the first connection. However, >> if they attempt to ssh to a second Linux machine from the first they >> are being prompted for a password. > > What is the output if they klist on the first machine they SSH to? [jna...@centric.com@sl1aosplmgt0001 ~]$ klist Ticket cache: KEYRING:persistent:255985:krb_ccache_TuVdBrp Default principal: jna...@centric.com Valid starting Expires Service principal 03/03/2017 11:55:16 03/03/2017 21:47:34 krbtgt/ipa.gen.z...@centric.com renew until 03/04/2017 11:47:33 03/03/2017 11:47:34 03/03/2017 21:47:34 krbtgt/centric@centric.com renew until 03/04/2017 11:47:33 centric.com is the AD domain that ipa.gen.zone trusts. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPI for second hop (SSH)
>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting >>to >>Linux servers from their domain-joined workstations are not required to enter >>a >>password for the first connection. However, if they attempt to ssh to a >>second >>Linux machine from the first they are being prompted for a password. >> >>I've tried the following /etc/ssh/ssh_config options: >> >>GSSAPIDelegateCredentials yes >>GSSAPIKeyExchange yes >>GSSAPIRenewalForcesRekey yes >>GSSAPITrustDns yes >> >>And the following /etc/ssh/sshd_config options: >> >>GSSAPIAuthentication yes >>GSSAPIKeyExchange yes >>GSSAPIStoreCredentialsOnRekey yes >> >>Am I missing a step/configuration? > They need to allow delegation on the machine where their first hop > starts, not only on your jump server. Both the first hop and subsequent servers have those settings. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPI for second hop (SSH)
"Jason B. Nance"writes: > I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users > connecting to Linux servers from their domain-joined workstations are > not required to enter a password for the first connection. However, > if they attempt to ssh to a second Linux machine from the first they > are being prompted for a password. What is the output if they klist on the first machine they SSH to? signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPI for second hop (SSH)
On pe, 03 maalis 2017, Jason B. Nance wrote: Hello, I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prompted for a password. I've tried the following /etc/ssh/ssh_config options: GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes GSSAPITrustDns yes And the following /etc/ssh/sshd_config options: GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes Am I missing a step/configuration? They need to allow delegation on the machine where their first hop starts, not only on your jump server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] GSSAPI for second hop (SSH)
Hello, I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prompted for a password. I've tried the following /etc/ssh/ssh_config options: GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes GSSAPITrustDns yes And the following /etc/ssh/sshd_config options: GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes Am I missing a step/configuration? Thanks, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project