Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Question:
How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?

Answer:
For general SSH SSO issues, please check the followings :

1.   Before proceed to check the settings of the SSH nested SSO, please make sure that there are no DNS issues. This can be checked with the nslookup command.  For example :

[root@xxxyyy machine]# nslookup xxxyyy.your_domain.com
Server: 192.168.3.61
Address: 192.168.3.61#53
Name: xxxyyy.your_domain.com
Address: 192.168.3.66

[root@xxxyyy machine]# nslookup 192.168.3.66
Server: 192.168.3.61
Address: 192.168.3.61#53
66.3.168.192.in-addr.arpa name =xxxyyy.your_domain.com.

Kerberos needs the reverse lookup record in order to request a correct service ticket

 


2.   Please make sure that the FQDN e.g. xxxyyy.your_domain.com is used when ssh from Putty or Linux computer to another computer i.e. ssh xxxyyy.your_domain.com

3.   Please check if it is running CentrifySSH or OpenSSH :

ps -ef | grep ssh

If it is Centrify's OpenSSH, it should look like this:
root 254202 155822 0 Apr 08 - 0:00 /usr/share/centrifydc/sbin/sshd

If it is stock SSH, it should look like this:
root 12427 1 0 Feb15 00:00:04 /usr/sbin/sshd

 

4. On the server side, please also check if the GSSAPI settings are enabled in sshd_config:

GSSAPIAuthentication yes
GSSAPIKeyExchange yes (If supported by Stock OpenSSH)
GSSAPICleanupCredentials yes

 

(If using ssh client instead of putty) On client side, please check the following parameters in ssh_config :

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes

 

If any changes were made to the parameters, please restart the sshd process.

Restart the Centrify sshd:
#/etc/init.d/centrify-sshd restart
or 
Restart the Open sshd :
#/etc/init.d/sshd restart

5.   Please check the UPN e.g. test@domain.com (e.g. AD user test) is correct in the file .k5login under the /home/$user  e.g. /home/test directory.

6.  Please also check the group ownership and files permission of the AD user  to make sure that there are no inconsistencies of the group ownership of the AD user and its corresponding files and directories of the  .ssh directory, .k5login e.g. under /home/test6 as follows :

[root@rhel_w2 home]# ls -l /home
drwx------. 25 test6       test6       4096 May 16 04:34 test6

[root@rhel_w2 home]# ls -la ~/
drwx------. 25 test6       test6       4096 May 16 05:01 .ssh


 [test6@rhel_w2 ~]$ ls -la ~/.k5login
-rw-------. 2 test6 test6 42 May 27 00:52 /home/test6/.k5login

[root@rhel_w2 test6]# cd ~/.ssh

[root@rhel_w2 .ssh]# ls -la
total 12
drwx------.  2 test6 test6 4096 May 13 05:36 .
drwx------. 25 test6 test6 4096 May 16 04:34 ..
-rw-r--r--.  1 test6 test6  419 May 13 05:36 known_hosts

[root@rhel_w2 .ssh]#
 

7.  After checking the correctness of the configuration parameters in ssh_config and sshd_config, the next is comment out pam_fprintd.so in the /etc/pam.d/system-auth file if it exists on specific platform of OS (KB-2527).

 

For SSH nested SSO issue, please also check the following :

8.   Verified the trust for delegation option of the computer/server by looking up ADUC of the DC :

If the location of the computer/server is not known, it can be found as follows :

ADUC>Action>Find> Find:Computer, Name: your_computer>Find Now > Double click on the computer>Delegation > Trust this computer for delegation to any service (Kerberos only) > apply/OK


User-added image

9.   If conneciton is issued from Putty, please make sure the following is checked:
Connection > SSH > Auth>GSSAPI > checked the Allow GSSAPI credential delegation

User-added image
 

Connection > SSH > Kerberos > checked the Create forwardable tickets and enable “Attempt Kerberos auth (SSH-2)”


User-added image


 
10.   Tried nested SSO and go back to the first hop and run klist -f to confirm the host ticket has the "O" flag as follows :
 
In the client or server computer, login as AD user :
 
[test8@rhel_w1 ~]$ /usr/share/centrifydc/kerberos/bin/klist -f
Ticket cache: FILE:/tmp/krb5cc_cdc1593836722_pXddnv
Default principal: test8@CENTRIFY.LOCAL
 
Valid starting Expires Service principal
04/11/14 03:41:01 04/11/14 13:41:01 krbtgt/CENTRIFY.LOCAL@CENTRIFY.LOCAL
renew until 04/18/14 03:41:01, Flags: FRIA
 
 
Login to another host:
[test8@rhel_w1 ~]$ ssh rhel_w2.centrify.local
Red Hat Enterprise Linux Client release 6.4 (Santiago)
Kernel 2.6.32-358.el6.x86_64 on an x86_64
 
Last login: Thu Apr 10 08:47:31 2014 from win7c2.centrify.local
[test8@rhel_w2 ~]$ /usr/share/centrifydc/kerberos/bin/klist -f
Ticket cache: FILE:/tmp/krb5cc_cdc1593836722_C8OiTq
Default principal: test8@CENTRIFY.LOCAL
 
Valid starting Expires Service principal
04/11/14 03:41:01 04/11/14 13:41:01 krbtgt/CENTRIFY.LOCAL@CENTRIFY.LOCAL
renew until 04/18/14 03:41:01, Flags: FRIA
[test8@rhel_w2 ~]$ exit
logout
Connection to localhost closed.
[test8@rhel_w1 ~]$ /usr/share/centrifydc/kerberos/bin/klist -f
Ticket cache: FILE:/tmp/krb5cc_cdc1593836722_pXddnv
Default principal: test8@CENTRIFY.LOCAL
 
Valid starting Expires Service principal
04/11/14 03:41:01 04/11/14 13:41:01 krbtgt/CENTRIFY.LOCAL@CENTRIFY.LOCAL
renew until 04/18/14 03:41:01, Flags: FRIA
04/11/14 03:43:05 04/11/14 13:41:01 host/rhel_w2.centrify.local@CENTRIFY.LOCAL
renew until 04/18/14 03:41:01, Flags: FRAO
[test8@rhel_w1 ~]$
 
If the "O" flag is not set, please make sure "Trust for delegation" mentioned in step 7 has been configured. If this is not set, please either set it in "Active Directory User and Computers" or run adleave and adjoin with "-T" option to enable it on Unix/Linux.
 
Reference:
KB-1698: Troubleshooting Single Sign On (SSO) issues
KB-1876: Cannot create Kerberos tickets using Centrify OpenSSH
KB-5452: How to enable debug for PuTTy / SSH clients?

KB-3285: How to Collect Debug Logs from an OpenSSH Server
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.