Hello FreeIPA Community,
I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611.
Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a passwordless
manner (Single Sign On (SSO)) as long as I use their hostnames. Example relevant output
from the SSH client verbose mode is:
my-user(a)host-1.example.com$ ssh -v
host-2.example.com
...
debug1: Authentication succeeded (gssapi-with-mic).
...
my-user(a)host-2.example.com$
However, if I try to SSH to the same host using its (fixed) IP address rather than its
hostname, SSO does not succeed as an authentication method, and the client falls back to
keyboard-interactive, prompting me for a password, as can be seen here:
my-user(a)host-1.example.com$ ssh -v 10.10.10.5
...
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/10.10.10.5(a)EXAMPLE.COM not found in Kerberos database
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
We have in-house code that performs remote command execution via SSH. We've made sure
our code always uses hostnames to avoid this problem. (Being prompted for a password kills
the automation we're trying to achieve.)
We also use some external code (over which we have no control and are not permitted to
modify), and that code also performs remote command execution via SSH. Unfortunately,
however, it does so using an *IP address*, rather than a hostname, as a destination.
For this reason, we need FreeIPA's SSO SSH capability to work when SSHing to a host
via that host's IP address.
Is this possible and, if so, how would it be accomplished?
Thanks,
Dave