I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.
On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit.
If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring.
On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh.
I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see.
So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
-- James Pulver CLASSE Computer Group Cornell University
On Mon, Oct 28, 2019 at 8:47 PM James M. Pulver <jmp242@cornell.edu> wrote:
I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.
On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit.
So klist is not reporting any tickets, right? Please provide the output of klist -f.
If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring.
Please provide more details. Do you see these errors on the Linux server or elsewhere? Please try to post them here.
On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh.
Well, x2go is using libssh. Maybe the libssh of Scientific Linux is too old. Unfortunately I do no know what version is required for this to work. Can you try with a newer version?
I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see.
So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
As I wrote above X2go is not using openssh but libssh. I would love to have x2go use openssh.
Regarding kinit -f (-F is _suppressing_ forwarding!) I have no idea how to do that on windows. AFAIR kinit is not provided at all.
Uli
On 10/28/19 1:47 PM, James M. Pulver wrote:
I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.
On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit.
If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring.
On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh.
I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see.
So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
x2goclient's "delegatation of GSSAPI Credentials" option is a hack involving copying kerberos ticket files that ceased being relevant long ago when kerberos moved away from storing tickets in files. For the Fedora/EPEL packages I patch it out because it just breaks things. It really just needs to die.
however, libssh should parse the user's ~/.ssh/config and system /etc/ssh/config file and honor any GSSAPI* options there including GSSAPIDelegateCredentials. Support for that should be present from libssh 0.6.0 on.
I would suggest running:
x2goclient --debug
from the command line to get more information
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
-
James M. Pulver -
Orion Poplawski -
Ulrich Sibiller