On to, 06 syys 2018, Ranbir via FreeIPA-users wrote:
On Thu, 2018-09-06 at 05:08 +0200, Jochen Hein via FreeIPA-users
> You used "ssh ipa01", right? And the host has been enrolleed with
> I have in my ~/.ssh/config:
> CanonicalizeHostname always
> CanonicalDomains example.org
I can try that. But, it doesn't answer my question: why does GSSAPI
delegation work for some hosts and not others? I'm going to assume I
did something wrong, but I don't know what.
For example, I can ssh from my Fedora desktop to ipa01. I don't have to
use a password or an ssh key because my kerberos ticket allows me
access. Then, from ipa01, I can ssh to anything else in the freeipa
domain without a password or ssh key because GSSAPI delegation allows
I have some servers where I can login using kerberos tickets from my
Fedora desktop, but GSSAPI delegation fails.
I haven't been able to find a difference between them.
GSSAPI delegation is a
client side thing. If you ssh-ed into a server
from a client that allowed GSSAPI delegation, now your server becomes a
client for the next leg. Is that client allows GSSAPI delegation in
Look at man page for ssh_client:
Forward (delegate) credentials to the server. The default is no.
Do you have
on all your servers in /etc/ssh/ssh_config?
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland