SSH SSO into cluster node breaks after upgrading ssh to version 7.5 p1
Environment setup: - A cluster consists of two nodes, realhostA and realhostB - A virtual host name, virtualhost, used between two nodes - Using adkeytab to build keytab file for virtualhost then merged with realhostA and realhostB system keytab file
when attempted SSO to either realhostA or realhostB, user will be using a host ticket of virtualhost.
Problem:
This setting was working until openssh upgraded to 7.5 p1 and higher.
Cause:
With openssh 7.4 p1 and prior, sshd_config has default value of GSSAPIStrictAcceptorCheck set to 'no'. With this setting, host ticket with any server principal in it would be accepted.
Starting from openssh 7.5 p1 and higher, GSSAPIStrictAcceptorCheck default value changed to 'yes', which means that the server principal in the host ticket must match the real host name. Here's an example log entry showing failed SSH SSO login:
debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/virtualhost.acme.com@ACME.COM found in keytab but does not match server principal host/realhostA.acme.com@\n
