On 10/28/19 1:47 PM, James M. Pulver wrote:
I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit. If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring. On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh. I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see. So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
x2goclient's "delegatation of GSSAPI Credentials" option is a hack involving copying kerberos ticket files that ceased being relevant long ago when kerberos moved away from storing tickets in files. For the Fedora/EPEL packages I patch it out because it just breaks things. It really just needs to die.
however, libssh should parse the user's ~/.ssh/config and system /etc/ssh/config file and honor any GSSAPI* options there including GSSAPIDelegateCredentials. Support for that should be present from libssh 0.6.0 on.
I would suggest running: x2goclient --debug from the command line to get more information -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ x2go-user mailing list [email protected] https://lists.x2go.org/listinfo/x2go-user
