I see that in /etc/ssh/ssh_config I have the above setting in both Fedora-19 and CentOS-6.4 . In both cases ssh (openssh) tries and fails to use gssapi-with-mic authentication, with the message ======================= Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available ======================= It then goes on to use publickey authentication, successfully.
As far as I can see, this is because openssh has over-ridden the default # GSSAPIAuthentication no with GSSAPIAuthentication yes
I've googled for this, and see that some people recommend reverting to the default No. But I assume openssh has some reason for making this change.
What would I do if I actually wanted to use GSSAPIAuthentication?
On 25.11.2013 15:10, Timothy Murphy wrote:
What would I do if I actually wanted to use GSSAPIAuthentication?
Install and configure FreeIPA on your network. That will let you manage SSH keys in LDAP database and use Kerberos authentication. You can read more in FreeIPA's documentation.
Mateusz Marzantowicz
On Mon, Nov 25, 2013 at 8:10 AM, Timothy Murphy gayleard@eircom.net wrote:
I see that in /etc/ssh/ssh_config I have the above setting in both Fedora-19 and CentOS-6.4 . In both cases ssh (openssh) tries and fails to use gssapi-with-mic authentication, with the message ======================= Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available ======================= It then goes on to use publickey authentication, successfully.
Do you have a keytab installed on the machine you are trying to login to?
John
inode0 wrote:
I see that in /etc/ssh/ssh_config I have the above setting in both Fedora-19 and CentOS-6.4 . In both cases ssh (openssh) tries and fails to use gssapi-with-mic authentication, with the message ======================= Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available ======================= It then goes on to use publickey authentication, successfully.
Do you have a keytab installed on the machine you are trying to login to?
I don't. I didn't know about keytabs, and am reading http://itservices.stanford.edu/service/kerberos/keytabs to learn something about them.
At the moment I'm not clear what advantage keytabs have. I do not have to login after "ssh -Y ..." as I have appended id_rsa.pub to known_hosts in each direction.
On 26 November 2013 01:46, Timothy Murphy gayleard@eircom.net wrote:
At the moment I'm not clear what advantage keytabs have. I do not have to login after "ssh -Y ..." as I have appended id_rsa.pub to known_hosts in each direction.
Keytabs are like a filebased password that the machine uses to authenticate to the directory server in order to validate that the token you provide is indeed valid.
Without a proper kerberos infrastructure (keytabs on machines, PTR records in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work.
James Hogarth wrote:
At the moment I'm not clear what advantage keytabs have. I do not have to login after "ssh -Y ..." as I have appended id_rsa.pub to known_hosts in each direction.
Keytabs are like a filebased password that the machine uses to authenticate to the directory server in order to validate that the token you provide is indeed valid.
Without a proper kerberos infrastructure (keytabs on machines, PTR records in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work.
You have not said what advantage this would have.
As far as I can see, openssh changed the default setting (in /etc/ssh/ssh_config) to make GSSAPIAuthentication first choice. However, neither Fedora nor CentOS seem to have implemented the necessary steps to make this usable.
Would it be likely to cause any problems if one reverts to the default setting (GSSAPIAuthentication no)?
On Tue, Nov 26, 2013 at 6:51 AM, Timothy Murphy gayleard@eircom.net wrote:
James Hogarth wrote:
At the moment I'm not clear what advantage keytabs have. I do not have to login after "ssh -Y ..." as I have appended id_rsa.pub to known_hosts in each direction.
Keytabs are like a filebased password that the machine uses to authenticate to the directory server in order to validate that the token you provide is indeed valid.
Without a proper kerberos infrastructure (keytabs on machines, PTR records in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work.
You have not said what advantage this would have.
The big advantage is that if you have a kerberos authentication system in place then ssh can use it in a natural way. If you don't have one then there is substantial cost to set one up.
As far as I can see, openssh changed the default setting (in /etc/ssh/ssh_config) to make GSSAPIAuthentication first choice. However, neither Fedora nor CentOS seem to have implemented the necessary steps to make this usable.
Would it be likely to cause any problems if one reverts to the default setting (GSSAPIAuthentication no)?
If you don't use kerberos or any other authentication system that supports GSSAPI then there is no reason to have GSSAPIAuthentication enabled. I don't see how it hurts anything to leave it enabled either though.
John
-
inode0 -
James Hogarth -
Mateusz Marzantowicz -
Timothy Murphy