On 10/28/19 1:47 PM, James M. Pulver wrote:
I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.
On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit.
If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring.
On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh.
I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see.
So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
x2goclient's "delegatation of GSSAPI Credentials" option is a hack involving copying kerberos ticket files that ceased being relevant long ago when kerberos moved away from storing tickets in files. For the Fedora/EPEL packages I patch it out because it just breaks things. It really just needs to die.
however, libssh should parse the user's ~/.ssh/config and system /etc/ssh/config file and honor any GSSAPI* options there including GSSAPIDelegateCredentials. Support for that should be present from libssh 0.6.0 on.
I would suggest running:
x2goclient --debug
from the command line to get more information
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/