I’ve just started with Clear Linux* on bare metal, and it’s generally been a very positive experience.
That said, I have hit a problem: it seems that the ssh
and git
that swupd
installs cannot make use of kerberos tickets acquired with the kinit
also installed by swupd
(enterprise-login
).
Main symptoms are that I cannot ssh
or perform git
operations in cases where MacOS
works fine.
In both cases, I can get a nice kerberos ticket (slightly obfuscated):
- MacOS
Credentials cache: API:C22BC4A1-3B2B-4302-9757 Principal: x@Y Issued Expires Flags Principal Aug 20 14:17:01 2020 Aug 21 15:17:01 2020 FPRIA krbtgt/Y@Y
- Clear Linux* looks equally ok:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: x@Y Valid starting Expires Service principal 08/20/2020 14:06:22 08/21/2020 15:06:22 krbtgt/Y@Y renew until 08/27/2020 14:06:22, Flags: FPRIA
Then what happens, e.g., with ssh
:
- MacOS (working):
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic).
- Clear Linux* (not working):
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: publickey
It’s easy to see that Clear Linux* is not offering gssapi-with-mic
and it goes south from there.
I’ve searched in the forums and on the web in general and came up empty-handed.
So, I was wondering someone else has seen (and solved?) this issue and/or if I can help debug this further for the greater interoperability good.
ps - I suspect that this could boil down to build options of openssl (as is the case in MacOS) and for that I am not even sure where to start helping in changing enterprise-login
.