Bryan,
Thanks a ton! I am working on this now.
Informationally, I'll pass along that after reading your email last night where you
mentioned the client looking for a host/10.10.10.5(a)EXAMPLE.COM principal, I found that
logging onto the host and using ipa-join -h <IP address> created such an IP
address-based host principal on the KDC. So, the -h option will take an IP address as well
as a hostname (my guess is that it interprets whatever you give it as just a string and
that it doesn't really matter what you call it). This then allowed me to SSH to the
host via IP address in a passwordless manner (i.e. via my Kerberos ticket)!
However, setting up an IP address-based host principal for every interface in our network
is very burdensome. Getting SSH SSO working via proper configuration of Kerberos or SSH,
as you suggest, is definitely preferable.
So I made these changes:
* I removed the IP address-based principal from FreeIPA (i.e. from Kerberos)
* dna_canonicalize_hostname is set to true by default. Nonetheless, I explicitly set it to
true in /etc/krb5.conf on the host I'm trying to log into via passwordless SSH.
* Kerberos configuration parameter "rdns" also seems quite relevant. It defaults
to true, though we'd been explicitly setting it to false. So, I explicitly set it to
true.
* I rebooted the host
* I restarted the KDC
Having done all of this, I found that I could not perform passwordless ssh to the host in
question by IP address. I was prompted for a password.
BTW, while I'm at this point, do you by chance know what particular services, if any,
must be restarted after modifying /etc/krb5.conf? It's a pain to reboot for every
experiment just because I'm not sure if anything needs to be restarted...
I also found that the following did not do the trick:
ssh -o "GSSAPITrustDns=yes" 10.10.10.5
As far as the confirmation of the reverse pointer you'd requested, below is an actual
cut-and-paste from my command terminal, but I have necessarily sanitized the output. So,
even though it has things like "example.com" in it, it is an actual, real run of
dig to verify proper forward / reverse DNS resolution:
my-user(a)host-1.example.com$ dig +short -x 10.10.10.5
host-2.example.com.
my-user(a)host-1.example.com$ dig +short
host-2.example.com
10.10.10.5
As to my SSH client configuration... My version of SSH (OpenSSH_6.6.1p1) does not have the
-G option. Do you by chance know how I can print out, at run time, the configuration
actually used?
So, still working on trying to find the right configuration to allow passwordless SSH via
IP address to work...
Thanks so much!
Dave
-----Original Message-----
From: Bryan Mesich [mailto:bryan.mesich@digikey.com]
Sent: Thursday, December 20, 2018 8:02 AM
To: FreeIPA users list
Cc: Theese, David C
Subject: Re: [Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address
On Wed, Dec 19, 2018 at 09:41:49PM -0600, Bryan Mesich via FreeIPA-users wrote:
On Wed, Dec 19, 2018 at 09:18:35PM -0600, Bryan Mesich via
FreeIPA-users wrote:
[snip...]
I was able to reproduce the problem on my end. I forgot that
Kerberos
can canonicalize host names. If I set "dns_canonicalize_hostname =
false" under the [libdefaults] section (in krb5.conf on client), I get
the same problem:
debug1: Unspecified GSS failure. Minor code may provide more
information Server host/10.10.128.10(a)XX.XXXX.COM not found in Kerberos database
Try setting it to true and see what happens.
GSSAPITrustDns=yes in ssh_conf should also do the trick. You can decide
where you want the canonicalization to occur, ssh or krb5.
Bryan
Bryan
--
Bryan Mesich
Sr. System Administrator
DIGI-KEY ELECTRONICS
701 Brooks Ave. South
Thief River Falls, MN 56701 USA
bryan.mesich(a)digikey.com
218.681.8000 x6104
Powered by Linux 3.10.0-862.6.3.el7.x86_64