Score:1

Server

Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets

rbn_hln

11/22/23, 5:03 PM

I want to setup a bastion (ssh jumphost) to access the network behind a firewall. Both server are in a freeIPA domain. The client is a user machine and is not part of the IPA domain.

Internet/client —> SSH-Jumphost —> login-node

My plan is to login into the ssh-jumphost via credentials to obtain a valid TGT and then to ssh to the login server via the obtained kerberos ticket.

Therefore, I changed the ssh and sshd configs that GSSAPI-Credentials are allowed to be forwarded.

# IPA-related configuration changes to sshd_config

PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

# added
PasswordAuthentication no

And the ssh config:

# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes

# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true
        ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h


#added 
GSSAPIAuthentication yes
GSSAPITrustDns yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
Host login
    GSSAPIDelegateCredentials yes

If I use ssh to login to the jumphost, I receive a valid kerberos ticket. After that I can ssh to the login without entering credentials

 $(j@client) ssh jumphost
(USER@jumphost) password:
$(@jumphost) klist
Credential-Cache: KCM:1791600003:19884
Standard-Principal: user@REALM

Valid starting       Expires              Service principal
22.11.2022 17:45:38  23.11.2022 17:35:51  krbtgt/REALM@REALM
$(@jumphost) ssh login

$(@login) klist
Credential-Cache: KCM:1791600003:66779
Standard-Principal: user@REALM

Valid starting       Expires              Service principal
22.11.2022 17:47:51  23.11.2022 17:35:51  krbtgt/REALM@REALM

But if I try to do this in one step, I need to enter my credentials for every server:

$(@client) ssh -J jumphost login
(user@jumphost) Password: 
(user@login) Password:

Afterwards I’m logged in and have a valid TGT, but I don’t know why I need to enter my password twice.

I only want to be forced to enter my password once.

I tried this with different ssh configs on the client, too.

Host login
  User USER
  #GSSAPIAuthentication yes
  #GSSAPIDelegateCredentials yes
  HostName login
  ProxyJump USER@jumphost

With and without the GSSAPI options.

Host jumphost
  User USER
  HostName jumphost

Host login
  User USER
  #GSSAPIAuthentication yes
  #GSSAPIDelegateCredentials yes
  HostName login
  ProxyJump jumphost

With and without the GSSAPI options.

All versions lead to the case, that I need to provide my password twice.

What am I missing?

Edit: Added krb5.conf

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = RELAM
  dns_lookup_realm = true
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  REALM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }

[domain_realm]
  .realm.com = REALM
  realm.com = REALM
  jumphost.realm.com = REALM

There are following files under /etc/krb5.conf.d

crypto-policies  freeipa  kcm_default_ccache  sssd_enable_idp

392

2 + 2

ssh

kerberos

gssapi

freeipa

fuero

11/22/23, 5:12 PM

Hi and welcome to ServerFault. SSH configuration looks good so far, how does your `krb5.conf` look like? Please add it to the question.

rbn_hln

11/22/23, 5:20 PM

Thank you, I added the ```krb5.conf``` to the post.

Score:0

Server

okapi

12/6/23, 11:46 AM

I think you're misunderstanding what the -J option to ssh does. It uses the jump host to create a socket connection to the final destination to proxy the connection through but it is still the original host that is negotiating keys and authentication with the final destination. You may have more luck with something like:

ssh -t jumphost 'ssh -t login'

+ 0

Score:0

Server

fuero

11/22/23, 5:15 PM

edit Guess I was wrong :-)

The SSH settings look fine to me. I'm guessing that the issued ticket isn't forwardable.

Quoting man 5 krb5.conf:

Libdefaults Section

[...]
forwardable
If this flag is set, initial tickets by default will be forwardable. The default value for this flag is false.

+ 5

rbn_hln

11/22/23, 5:25 PM

Would have been nice if that was the solution. I tried it also with ```trust for delegation```option in the freeIPA web-interface.

fuero

11/22/23, 5:34 PM

Sorry, not experienced enough with Kerberos... One more thing I thought of: Is the krb5.conf from the jump host or from your client? Verify that it's set on your client.

rbn_hln

11/22/23, 5:56 PM

Anyways thank you for your help. The krb5.conf is from my jumphost. The client is not part of the ipa/Kerberos domain.

user1686

11/22/23, 7:01 PM

@rbn_hln: Normally the client can `kinit` without needing to be in the domain (unless FreeIPA started using FAST to restrict that somehow).

rbn_hln

11/22/23, 7:05 PM

@user1686 But this means that the KDC must be reachable from my client. The client is for example a laptop from which the login node needs to accessed. The jumphost is in place for security reasons. Or am I getting something wrong?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.