Bryan, Thanks a ton! I am working on this now.
Informationally, I'll pass along that after reading your email last night where you mentioned the client looking for a host/10.10.1...@example.com principal, I found that logging onto the host and using ipa-join -h <IP address> created such an IP address-based host principal on the KDC. So, the -h option will take an IP address as well as a hostname (my guess is that it interprets whatever you give it as just a string and that it doesn't really matter what you call it). This then allowed me to SSH to the host via IP address in a passwordless manner (i.e. via my Kerberos ticket)! However, setting up an IP address-based host principal for every interface in our network is very burdensome. Getting SSH SSO working via proper configuration of Kerberos or SSH, as you suggest, is definitely preferable. So I made these changes: * I removed the IP address-based principal from FreeIPA (i.e. from Kerberos) * dna_canonicalize_hostname is set to true by default. Nonetheless, I explicitly set it to true in /etc/krb5.conf on the host I'm trying to log into via passwordless SSH. * Kerberos configuration parameter "rdns" also seems quite relevant. It defaults to true, though we'd been explicitly setting it to false. So, I explicitly set it to true. * I rebooted the host * I restarted the KDC Having done all of this, I found that I could not perform passwordless ssh to the host in question by IP address. I was prompted for a password. BTW, while I'm at this point, do you by chance know what particular services, if any, must be restarted after modifying /etc/krb5.conf? It's a pain to reboot for every experiment just because I'm not sure if anything needs to be restarted... I also found that the following did not do the trick: ssh -o "GSSAPITrustDns=yes" 10.10.10.5 As far as the confirmation of the reverse pointer you'd requested, below is an actual cut-and-paste from my command terminal, but I have necessarily sanitized the output. So, even though it has things like "example.com" in it, it is an actual, real run of dig to verify proper forward / reverse DNS resolution: my-u...@host-1.example.com$ dig +short -x 10.10.10.5 host-2.example.com. my-u...@host-1.example.com$ dig +short host-2.example.com 10.10.10.5 As to my SSH client configuration... My version of SSH (OpenSSH_6.6.1p1) does not have the -G option. Do you by chance know how I can print out, at run time, the configuration actually used? So, still working on trying to find the right configuration to allow passwordless SSH via IP address to work... Thanks so much! Dave -----Original Message----- From: Bryan Mesich [mailto:bryan.mes...@digikey.com] Sent: Thursday, December 20, 2018 8:02 AM To: FreeIPA users list Cc: Theese, David C Subject: Re: [Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address On Wed, Dec 19, 2018 at 09:41:49PM -0600, Bryan Mesich via FreeIPA-users wrote: > On Wed, Dec 19, 2018 at 09:18:35PM -0600, Bryan Mesich via FreeIPA-users > wrote: [snip...] > I was able to reproduce the problem on my end. I forgot that Kerberos > can canonicalize host names. If I set "dns_canonicalize_hostname = > false" under the [libdefaults] section (in krb5.conf on client), I get > the same problem: > > debug1: Unspecified GSS failure. Minor code may provide more > information Server host/10.10.128...@xx.xxxx.com not found in Kerberos > database > > Try setting it to true and see what happens. GSSAPITrustDns=yes in ssh_conf should also do the trick. You can decide where you want the canonicalization to occur, ssh or krb5. Bryan > > Bryan -- Bryan Mesich Sr. System Administrator DIGI-KEY ELECTRONICS 701 Brooks Ave. South Thief River Falls, MN 56701 USA bryan.mes...@digikey.com 218.681.8000 x6104 Powered by Linux 3.10.0-862.6.3.el7.x86_64 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
