Header Shadow Image


Getting asked for password when using host shortname with kerberos delegation

When trying to ssh into a host using the server's short name, you get challenged or asked for a password.  You need to set the following to:  

  • First item to set is the following:

dns_canonicalize_hostname = true

in /etc/krb5.conf.  It will then prevent from asking a password.  Using the server's FQDN will work without issues.  

  • Second item to set is to also ensure your sshd_config contains the following lines (This may or may not necessarily work however as I haven't tested all the configuration options.):

KerberosAuthentication yes
ChallengeResponseAuthentication yes

  • The other important item to check and set is the following that you have properly configured /etc/resolv.conf and ifcfg-eth0 interface.  After configuring above items, this item finally got passless single-host sign on authentication to work (DOMAIN is reported to work on certain Linux versions while SEARCH on others.  Doesn't hurt to set both.  In this case order is important for either:  mds.xyz before nix.mds.xyz):

[root@cm-r01en02 ssh]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
nameserver 192.168.0.44
nameserver 192.168.0.45
search mds.xyz nix.mds.xyz

[root@cm-r01en02 ssh]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
NAME=eth0
BOOTPROTO=static
PEERDNS=no
UUID=62904293-0bde-4ea9-b4a1-6a65191663f3
ONBOOT=yes
IPADDR=192.168.0.133
NETMASK="255.255.255.0"
GATEWAY="192.168.0.1"
USERCTL=no
NM_CONTROLLED=no
HOSTNAME=cm-r01en02.nix.mds.xyz
DOMAIN="mds.xyz nix.mds.xyz"
SEARCH="mds.xyz nix.mds.xyz"
DNS1=192.168.0.44
DNS2=192.168.0.45
DNS3=192.168.0.224

[root@cm-r01en02 ssh]#

My entire sshd_config file had the following set:

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KerberosAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UsePAM yes
X11Forwarding yes

Note that PEERDNS is set to no.  This is important or your config will be overwritten on reboot or network restart.  If you can't set it to no for some other reason, simply change the  immutable bit on /etc/resolv.conf using chattr -i /etc/resolv.conf .

Still doesn't work?  You just might need a little bit of patience now:

-sh-4.2$ ssh ipaclient01 -vvvv
debug1: Unspecified GSS failure.  Minor code may provide more information
Clock skew too great

debug3: send packet: type 50

Meaning your NTP daemon hasn't synced up the clock yet.  Give it some time.  Then try again.

Good luck!

Cheers,
TK

 

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License