Re: Specifying GSSAPI settings

[James Wrigley <james@xxxxxxxxxxxxxx>]

Ahhh thanks, I did not see that there was a server identity option
already...

I commented on the MR, I think it looks quite useful; though I probably
won't end up using it since I'm embedding libssh in a GUI (so there'll be
no terminal to answer the prompts in).

On Mon, Mar 11, 2024, 11:53 AM Jakub Jelen <jjelen@xxxxxxxxxx> wrote:

> Hi,
> thank you for the question! Unfortunately the GSSAPI code in libssh is
> not very well tested so if you are interested in changing that, we
> could use some help:
> https://gitlab.com/libssh/libssh-mirror/-/issues/191
>
> We are working on the implementation of proxyjump using libssh in
> https://gitlab.com/libssh/libssh-mirror/-/merge_requests/459 (it will
> likely need some more work though) so I assume you took some similar
> approach for doing this just with the public API for the port
> forwarding, which has a disadvantage you need to allocate the port
> numbers locally instead of keeping the socket inside of your
> application. In any case, feedback here would be hugely appreciated as
> this sounds like something very similar you are working on for
> real-world use case.
>
> I think this is the limitation of the forwarding as there is no simple
> way to derive the hostname from the locally forwarded port so it needs
> to be managed manually for now. I think cleaner way might be using
> `SSH_OPTIONS_GSSAPI_SERVER_IDENTITY` similar to the openssh
> configuration option.
>
> Jakub
>
>
> On Sat, Mar 9, 2024 at 11:08 PM James Wrigley <james@xxxxxxxxxxxxxx>
> wrote:
> >
> > After a bit more digging I realized that the only necessary thing is to
> set the server identify because the realm can be obtained from that. From
> looking at the code I think that should be done in ssh_gssapi_auth_mic(),
> but I figured out a hack to get around it 😅 If you set the host option to
> the real hostname after connecting, ssh_gssapi_auth_mic() will just use
> that in its call to gss_import_name() and GSSAPI auth works as usual. Not
> sure how kosher that is...
> >
> > On Sat, Mar 9, 2024, 1:54 AM James Wrigley <james@xxxxxxxxxxxxxx> wrote:
> >>
> >> Hi there,
> >> I'm writing a program that needs to access a remote host through two
> jump hosts. The way I'm doing that is by connecting to each hop in the
> chain, creating a direct forwarding channel to port 22 of the next hop, and
> then connecting to the forwarded port for the next hop.
> >>
> >> My problem is that I want to use GSSAPI authentication for each hop,
> but that breaks on the forwarded ports. At first when I called
> userauth_gssapi() I got this in the logs:
> >>
> >>     [2024/03/09 01:03:27.614606, 1] ssh_gssapi_log_error:
> GSSAPI(Initializing gssapi context): Unspecified GSS failure.  Minor code
> may provide more information - Configuration file does not specify default
> realm
> >>
> >> After setting a default realm in my krb5.conf I get:
> >>
> >>     [2024/03/09 01:46:56.109448, 1] ssh_gssapi_log_error:
> GSSAPI(Initializing gssapi context): Unspecified GSS failure.  Minor code
> may provide more information - Server not found in Kerberos database
> >>
> >> Then I tried ssh'ing on the forwarded port using OpenSSH and got GSSAPI
> auth working by passing `-o GSSAPIServerIdentity=...`.
> >>
> >> So my question is, how can I specify the realm and server identity with
> libssh? Ideally the program wouldn't require the user to modify their
> krb5.conf or have to fall back to another auth method like password auth.
> This works OOTB with OpenSSH and ProxyJump's, so I assume OpenSSH uses the
> realm and server identity of the jump hosts when connecting to their
> forwarded port.
> >>
> >> Thanks,
> >> James
>
>
>