Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16305: In Redhat cluster environment, SSH SSO broke after upgrade to openssh version 7.5 p1 and higher

Authentication Service ,  

20 June,19 at 10:46 PM

Environment setup:
- A cluster consists of two nodes, realhostA and realhostB
- A virtual host name, virtualhost, used between two nodes
- Using adkeytab to build keytab file for virtualhost then merged with realhostA and realhostB system keytab file

when attempted SSO to either realhostA or realhostB, user will be using a host ticket of virtualhost.  

Problem:

This setting was working until openssh upgraded to 7.5 p1 and higher.


Cause:

With openssh 7.4 p1 and prior, sshd_config has default value of GSSAPIStrictAcceptorCheck set to 'no'.  With this setting, host ticket with any server principal in it would be accepted.

Starting from openssh 7.5 p1 and higher, GSSAPIStrictAcceptorCheck default value changed to 'yes', which means that the server principal in the host ticket must match the real host name.  Here's an example log entry showing failed SSH SSO login:

debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/virtualhost.acme.com@ACME.COM found in keytab but does not match server principal host/realhostA.acme.com@\n

Solution:

1) Update sshd_config file, change


GSSAPIStrictAcceptorCheck yes

to 

GSSAPIStrictAcceptorCheck no

2) restart sshd

 

Related Articles

 No related Articles