[X2Go-User] Forwardable GSSAPI / Kerberos from X2Go

Orion Poplawski orion at nwra.com
Tue Oct 29 03:04:33 CET 2019 

On 10/28/19 1:47 PM, James M. Pulver wrote:
> I'm working with trying to use kerberos with our X2Go server from
> different OSs. We are running a Server 2016 Active Directory with the
> UNIX attributes. All computers are joined to this AD.
> 
> On Windows 10, I can get GSSAPI to authenticate and let me log in
> without a password. However, I cannot then ssh to a different linux
> computer without doing a kinit.
> 
> If I check "delegatation of GSSAPI Credentials to the server, I get
> various cp errors around files with "odd" characters, or unable to find
> the keyring.
> 
> On other Scientific Linux 7 computers, I can't even get the Kerberos 5
> authentication to work, it just gives me an error to login with my
> password. This does work with the first remote linux computer via ssh.
> 
> I have tried enabling delegation in AD for the computer account of my
> primary jump host, no change I can see.
> 
> So - why is X2Go different on Linux with regard to using Kerberos 5 auth
> when straight SSH works, and 2 has anyone figured out the windows
> equivalent to kinit -F for a user so they can do 2 hops?
> 

x2goclient's "delegatation of GSSAPI Credentials" option is a hack 
involving copying kerberos ticket files that ceased being relevant long 
ago when kerberos moved away from storing tickets in files.  For the 
Fedora/EPEL packages I patch it out because it just breaks things.  It 
really just needs to die.

however, libssh should parse the user's ~/.ssh/config and system 
/etc/ssh/config file and honor any GSSAPI* options there including 
GSSAPIDelegateCredentials.  Support for that should be present from 
libssh 0.6.0 on.

I would suggest running:

x2goclient --debug

from the command line to get more information

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20191028/34597022/attachment-0001.bin>

More information about the x2go-user mailing list