[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Specifying GSSAPI settings
[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
- Subject: Specifying GSSAPI settings
- From: James Wrigley <james@xxxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Sat, 9 Mar 2024 01:54:51 +0100
- To: Libssh mailing list <libssh@xxxxxxxxxx>
Hi there,
I'm writing a program that needs to access a remote host through two jump
hosts. The way I'm doing that is by connecting to each hop in the chain,
creating a direct forwarding channel to port 22 of the next hop, and then
connecting to the forwarded port for the next hop.
My problem is that I want to use GSSAPI authentication for each hop, but
that breaks on the forwarded ports. At first when I called
userauth_gssapi() I got this in the logs:
[2024/03/09 01:03:27.614606, 1] ssh_gssapi_log_error:
GSSAPI(Initializing gssapi context): Unspecified GSS failure. Minor code
may provide more information - Configuration file does not specify default
realm
After setting a default realm in my krb5.conf I get:
[2024/03/09 01:46:56.109448, 1] ssh_gssapi_log_error:
GSSAPI(Initializing gssapi context): Unspecified GSS failure. Minor code
may provide more information - Server not found in Kerberos database
Then I tried ssh'ing on the forwarded port using OpenSSH and got GSSAPI
auth working by passing `-o GSSAPIServerIdentity=...`.
So my question is, how can I specify the realm and server identity with
libssh? Ideally the program wouldn't require the user to modify their
krb5.conf or have to fall back to another auth method like password auth.
This works OOTB with OpenSSH and ProxyJump's, so I assume OpenSSH uses the
realm and server identity of the jump hosts when connecting to their
forwarded port.
Thanks,
James
| Re: Specifying GSSAPI settings | James Wrigley <james@xxxxxxxxxxxxxx> |