[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Specifying GSSAPI settings
[Thread Prev] | [Thread Next]
- Subject: Re: Specifying GSSAPI settings
- From: James Wrigley <james@xxxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Sat, 9 Mar 2024 23:00:00 +0100
- To: Libssh mailing list <libssh@xxxxxxxxxx>
After a bit more digging I realized that the only necessary thing is to set the server identify because the realm can be obtained from that. From looking at the code I think that should be done in ssh_gssapi_auth_mic(), but I figured out a hack to get around it 😅 If you set the host option to the real hostname after connecting, ssh_gssapi_auth_mic() will just use that in its call to gss_import_name() and GSSAPI auth works as usual. Not sure how kosher that is... On Sat, Mar 9, 2024, 1:54 AM James Wrigley <james@xxxxxxxxxxxxxx> wrote: > Hi there, > I'm writing a program that needs to access a remote host through two jump > hosts. The way I'm doing that is by connecting to each hop in the chain, > creating a direct forwarding channel to port 22 of the next hop, and then > connecting to the forwarded port for the next hop. > > My problem is that I want to use GSSAPI authentication for each hop, but > that breaks on the forwarded ports. At first when I called > userauth_gssapi() I got this in the logs: > > [2024/03/09 01:03:27.614606, 1] ssh_gssapi_log_error: > GSSAPI(Initializing gssapi context): Unspecified GSS failure. Minor code > may provide more information - Configuration file does not specify default > realm > > After setting a default realm in my krb5.conf I get: > > [2024/03/09 01:46:56.109448, 1] ssh_gssapi_log_error: > GSSAPI(Initializing gssapi context): Unspecified GSS failure. Minor code > may provide more information - Server not found in Kerberos database > > Then I tried ssh'ing on the forwarded port using OpenSSH and got GSSAPI > auth working by passing `-o GSSAPIServerIdentity=...`. > > So my question is, how can I specify the realm and server identity with > libssh? Ideally the program wouldn't require the user to modify their > krb5.conf or have to fall back to another auth method like password auth. > This works OOTB with OpenSSH and ProxyJump's, so I assume OpenSSH uses the > realm and server identity of the jump hosts when connecting to their > forwarded port. > > Thanks, > James >
| Re: Specifying GSSAPI settings | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Specifying GSSAPI settings | James Wrigley <james@xxxxxxxxxxxxxx> |