[X2Go-User] Forwardable GSSAPI / Kerberos from X2Go
Orion Poplawski
orion at nwra.com
Tue Oct 29 03:04:33 CET 2019
On 10/28/19 1:47 PM, James M. Pulver wrote:
> I'm working with trying to use kerberos with our X2Go server from
> different OSs. We are running a Server 2016 Active Directory with the
> UNIX attributes. All computers are joined to this AD.
>
> On Windows 10, I can get GSSAPI to authenticate and let me log in
> without a password. However, I cannot then ssh to a different linux
> computer without doing a kinit.
>
> If I check "delegatation of GSSAPI Credentials to the server, I get
> various cp errors around files with "odd" characters, or unable to find
> the keyring.
>
> On other Scientific Linux 7 computers, I can't even get the Kerberos 5
> authentication to work, it just gives me an error to login with my
> password. This does work with the first remote linux computer via ssh.
>
> I have tried enabling delegation in AD for the computer account of my
> primary jump host, no change I can see.
>
> So - why is X2Go different on Linux with regard to using Kerberos 5 auth
> when straight SSH works, and 2 has anyone figured out the windows
> equivalent to kinit -F for a user so they can do 2 hops?
>
x2goclient's "delegatation of GSSAPI Credentials" option is a hack
involving copying kerberos ticket files that ceased being relevant long
ago when kerberos moved away from storing tickets in files. For the
Fedora/EPEL packages I patch it out because it just breaks things. It
really just needs to die.
however, libssh should parse the user's ~/.ssh/config and system
/etc/ssh/config file and honor any GSSAPI* options there including
GSSAPIDelegateCredentials. Support for that should be present from
libssh 0.6.0 on.
I would suggest running:
x2goclient --debug
from the command line to get more information
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20191028/34597022/attachment-0001.bin>
More information about the x2go-user
mailing list