Re: Specifying GSSAPI settings

[Jakub Jelen <jjelen@xxxxxxxxxx>]

Hi,
thank you for the question! Unfortunately the GSSAPI code in libssh is
not very well tested so if you are interested in changing that, we
could use some help:
https://gitlab.com/libssh/libssh-mirror/-/issues/191

We are working on the implementation of proxyjump using libssh in
https://gitlab.com/libssh/libssh-mirror/-/merge_requests/459 (it will
likely need some more work though) so I assume you took some similar
approach for doing this just with the public API for the port
forwarding, which has a disadvantage you need to allocate the port
numbers locally instead of keeping the socket inside of your
application. In any case, feedback here would be hugely appreciated as
this sounds like something very similar you are working on for
real-world use case.

I think this is the limitation of the forwarding as there is no simple
way to derive the hostname from the locally forwarded port so it needs
to be managed manually for now. I think cleaner way might be using
`SSH_OPTIONS_GSSAPI_SERVER_IDENTITY` similar to the openssh
configuration option.

Jakub


On Sat, Mar 9, 2024 at 11:08 PM James Wrigley <james@xxxxxxxxxxxxxx> wrote:
>
> After a bit more digging I realized that the only necessary thing is to set the server identify because the realm can be obtained from that. From looking at the code I think that should be done in ssh_gssapi_auth_mic(), but I figured out a hack to get around it 😅 If you set the host option to the real hostname after connecting, ssh_gssapi_auth_mic() will just use that in its call to gss_import_name() and GSSAPI auth works as usual. Not sure how kosher that is...
>
> On Sat, Mar 9, 2024, 1:54 AM James Wrigley <james@xxxxxxxxxxxxxx> wrote:
>>
>> Hi there,
>> I'm writing a program that needs to access a remote host through two jump hosts. The way I'm doing that is by connecting to each hop in the chain, creating a direct forwarding channel to port 22 of the next hop, and then connecting to the forwarded port for the next hop.
>>
>> My problem is that I want to use GSSAPI authentication for each hop, but that breaks on the forwarded ports. At first when I called userauth_gssapi() I got this in the logs:
>>
>>     [2024/03/09 01:03:27.614606, 1] ssh_gssapi_log_error:  GSSAPI(Initializing gssapi context): Unspecified GSS failure.  Minor code may provide more information - Configuration file does not specify default realm
>>
>> After setting a default realm in my krb5.conf I get:
>>
>>     [2024/03/09 01:46:56.109448, 1] ssh_gssapi_log_error:  GSSAPI(Initializing gssapi context): Unspecified GSS failure.  Minor code may provide more information - Server not found in Kerberos database
>>
>> Then I tried ssh'ing on the forwarded port using OpenSSH and got GSSAPI auth working by passing `-o GSSAPIServerIdentity=...`.
>>
>> So my question is, how can I specify the realm and server identity with libssh? Ideally the program wouldn't require the user to modify their krb5.conf or have to fall back to another auth method like password auth. This works OOTB with OpenSSH and ProxyJump's, so I assume OpenSSH uses the realm and server identity of the jump hosts when connecting to their forwarded port.
>>
>> Thanks,
>> James