Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance 
I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users 
connecting to
Linux servers from their domain-joined workstations are not required to 
enter a
password for the first connection.  However, if they attempt to ssh to a 
second
Linux machine from the first they are being prompted for a password.

I've tried the following /etc/ssh/ssh_config options:

GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes

And the following /etc/ssh/sshd_config options:

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

Am I missing a step/configuration?
>>
>>> They need to allow delegation on the machine where their first hop
>>> starts, not only on your jump server.
>>
>>Both the first hop and subsequent servers have those settings.

> I'm not talking about servers. It starts with the client machines.
> If server never got delegated credentials, how could it be a client that
> delegates them further? That original client has to allow delegation
> in first place.

Do you know how I can validate that is working (such as, will something show up 
in a klist)?  I'm using PuTTY 0.67 as my Windows ssh client and have the "Allow 
GSSAPI credential delegation" box checked, but some quick Googling is 
suggesting that may not be enough.

Thanks for the insight.

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Alexander Bokovoy 

On pe, 03 maalis 2017, Jason B. Nance wrote:

I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users connecting to
Linux servers from their domain-joined workstations are not required to enter a
password for the first connection.  However, if they attempt to ssh to a second
Linux machine from the first they are being prompted for a password.

I've tried the following /etc/ssh/ssh_config options:

   GSSAPIDelegateCredentials yes
   GSSAPIKeyExchange yes
   GSSAPIRenewalForcesRekey yes
   GSSAPITrustDns yes

And the following /etc/ssh/sshd_config options:

   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIStoreCredentialsOnRekey yes

Am I missing a step/configuration?



They need to allow delegation on the machine where their first hop
starts, not only on your jump server.


Both the first hop and subsequent servers have those settings.

I'm not talking about servers. It starts with the client machines.
If server never got delegated credentials, how could it be a client that
delegates them further? That original client has to allow delegation
in first place.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance 
>> I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users
>> connecting to Linux servers from their domain-joined workstations are
>> not required to enter a password for the first connection.  However,
>> if they attempt to ssh to a second Linux machine from the first they
>> are being prompted for a password.
> 
> What is the output if they klist on the first machine they SSH to?

[jna...@centric.com@sl1aosplmgt0001 ~]$ klist
Ticket cache: KEYRING:persistent:255985:krb_ccache_TuVdBrp
Default principal: jna...@centric.com

Valid starting   Expires  Service principal
03/03/2017 11:55:16  03/03/2017 21:47:34  krbtgt/ipa.gen.z...@centric.com
renew until 03/04/2017 11:47:33
03/03/2017 11:47:34  03/03/2017 21:47:34  krbtgt/centric@centric.com
renew until 03/04/2017 11:47:33

centric.com is the AD domain that ipa.gen.zone trusts.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance 
>>I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users connecting 
>>to
>>Linux servers from their domain-joined workstations are not required to enter 
>>a
>>password for the first connection.  However, if they attempt to ssh to a 
>>second
>>Linux machine from the first they are being prompted for a password.
>>
>>I've tried the following /etc/ssh/ssh_config options:
>>
>>GSSAPIDelegateCredentials yes
>>GSSAPIKeyExchange yes
>>GSSAPIRenewalForcesRekey yes
>>GSSAPITrustDns yes
>>
>>And the following /etc/ssh/sshd_config options:
>>
>>GSSAPIAuthentication yes
>>GSSAPIKeyExchange yes
>>GSSAPIStoreCredentialsOnRekey yes
>>
>>Am I missing a step/configuration?

> They need to allow delegation on the machine where their first hop
> starts, not only on your jump server.

Both the first hop and subsequent servers have those settings.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Robbie Harwood 
"Jason B. Nance"  writes:

> I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users
> connecting to Linux servers from their domain-joined workstations are
> not required to enter a password for the first connection.  However,
> if they attempt to ssh to a second Linux machine from the first they
> are being prompted for a password.

What is the output if they klist on the first machine they SSH to?


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Alexander Bokovoy 

On pe, 03 maalis 2017, Jason B. Nance wrote:

Hello,

I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users connecting to 
Linux servers from their domain-joined workstations are not required to enter a 
password for the first connection.  However, if they attempt to ssh to a second 
Linux machine from the first they are being prompted for a password.

I've tried the following /etc/ssh/ssh_config options:

   GSSAPIDelegateCredentials yes
   GSSAPIKeyExchange yes
   GSSAPIRenewalForcesRekey yes
   GSSAPITrustDns yes

And the following /etc/ssh/sshd_config options:

   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIStoreCredentialsOnRekey yes

Am I missing a step/configuration?

They need to allow delegation on the machine where their first hop
starts, not only on your jump server.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project