Missing kerberos support in ssh (and git)?

I’ve just started with Clear Linux* on bare metal, and it’s generally been a very positive experience.

That said, I have hit a problem: it seems that the ssh and git that swupd installs cannot make use of kerberos tickets acquired with the kinit also installed by swupd (enterprise-login).

Main symptoms are that I cannot ssh or perform git operations in cases where MacOS
works fine.

In both cases, I can get a nice kerberos ticket (slightly obfuscated):

  • MacOS
    Credentials cache: API:C22BC4A1-3B2B-4302-9757
            Principal: x@Y
    
      Issued                Expires             Flags    Principal
    Aug 20 14:17:01 2020  Aug 21 15:17:01 2020  FPRIA  krbtgt/Y@Y
    
  • Clear Linux* looks equally ok:
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: x@Y
    
    Valid starting       Expires              Service principal
    08/20/2020 14:06:22  08/21/2020 15:06:22  krbtgt/Y@Y
    	renew until 08/27/2020 14:06:22, Flags: FPRIA
    

Then what happens, e.g., with ssh:

  • MacOS (working):
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
    debug1: Next authentication method: gssapi-with-mic
    debug2: we sent a gssapi-with-mic packet, wait for reply
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Authentication succeeded (gssapi-with-mic).
    
  • Clear Linux* (not working):
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
    debug1: Next authentication method: publickey
    

It’s easy to see that Clear Linux* is not offering gssapi-with-mic and it goes south from there.

I’ve searched in the forums and on the web in general and came up empty-handed.

So, I was wondering someone else has seen (and solved?) this issue and/or if I can help debug this further for the greater interoperability good.

ps - I suspect that this could boil down to build options of openssl (as is the case in MacOS) and for that I am not even sure where to start helping in changing enterprise-login.

It’s not built with “–with-kerberos5”

1 Like

Thanks. That figures. Was the exact same in MacOS some time ago.

So the question is: how can we confirm that that is the root case and change that? In particular, where can I see the build options used? I scoured Clear Linux*'s gihub to no avail.

Check clearlinux-pkgs/openssh on github

2 Likes

Brilliant! As a newcomer to Clear Linux* I was not aware of clearlinux-pkgs.

So, I suppose the next step would be to open an issue in clearlinux/distribution and see what people think about either building openssh with krb5 support by default, make a second openssh bundle that has that support, or something else more imaginative.

Since you have more experience, does this makes sense as a plan to you, @doct0rHu?

You can either open an issue on GitHub to request this change, or post it in CL’s newsletter. I mostly use GitHub.

1 Like

The issue is up at https://github.com/clearlinux/distribution/issues/2104.
Thanks a bunch.

2 Likes