There are two fine intermediary hosts between my workstation and where I need to end-up. I was attempting to use the ProxyJump configuration to make this connection, but it does not appear to work.
Topology:
ssh ssh ssh
localhost.domain1.com --> h1.domain1.com --> h2.domain2.com --> dest.domain2.com
When I try using this command below, I receive an error
ssh -K -J h1.domain1.com,h2.domain2.com dest.domain2.com
It connects to h1.domain1.com, but then fails to properly connect to h2.domain2.com with an inability to "contact any KDC for realm 'domain2.com' (and I do not have a password on domain2.com, so it is not an option):
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /home/USERNAME/.ssh/config
...
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -J h1.domain1.com -v -W %h:%p h2.domain2.com
debug1: Executing proxy command: exec ssh -J h1.domain1.com -v -W dest.domain2.com:22 h2.domain2.com
...
debug1: Connecting to h1.domain1.com [132.175.108.33] port 22.
debug1: Connection established.
...
debug1: Authenticating to h1.domain1.com:22 as 'USERNAME'
...
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to h1.domain1.com ([###.###.##.##]:22).
debug1: channel_connect_stdio_fwd h2.domain2.com:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
...
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to h2.domain2.com:22 as 'USERNAME'
...
debug1: Next authentication method: gssapi-with-mic
debug1: getpeername failed: Socket operation on non-socket
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot contact any KDC for realm 'domain2.com'
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
The following command does work, but this site suggests it may not be secure:
ssh -K -tt h1.domain1.com ssh -K -tt h2.domain2.com ssh -K -tt dest.domain2.com
I believe all of the cross-realm authentication is properly set, as the one command does work.
As a side note, all within domain1.com, I can do without issue: ssh -K -J a.domain1.com,b.domain1.com c.domain.com
Is there anyway to get the shorter and more secure ProxyJump to work with Kerberos in this configuration?