1

I connect to my remote server using:

ssh -At [email protected] ssh -At [email protected]

The following only asks me for a password one time. I do not have any authentication file on my computer, just a password is needed.

I want to create a config file so I connect by doing ssh slurm. I need it for some software that doesn't support -Ats and they only accept one ssh name.

I tried this config:

Host csail
  HostName target.edu
  User user
  ForwardAgent yes
  
Host slurm
    HostName slurm.target.edu
    User user
    ProxyJump csail

This config works but surprisingly asks me for the password two times! one after the other. (asks for the same password twice!)

To fix this issue I tried a little bit and found out that it seems from target.edu to slurm.target.edu the system is using something called Kerberos and it can be the potential cause of the problem.

I'm here to ask if there is any way for me to modify my config file so I can ssh it using my password only once.

P.S. Note that I do not have any control over the login methods. I'm not able to change any authentication policy.

Improve this question
0

2 Answers 2

Reset to default
1

That's because the command line version works differently to the ProxyJump version and yes, this may enable Kerberos for the commandline but not for ProxyJump.

I a case of:

ssh -At [email protected] ssh -At [email protected]

the first ssh connects to target.edu, authenticates as user (and may obtain Kerberos ticket at that point) and allocates terminal, starts shell and start another ssh client there. The said client may use Kerberos ticket for authentication to the slurm.target.edu host, hence no password prompt here.

In the other case, the second ssh client is NOT started and hence it cannot use Kerberos for authentication. What is happening there is that sshd daemon on target.edu forwards a connection from original client to the destination host. This also moves the authentication from the proxy host to the original client which prompts for a password for slurm.target.edu server.

Instead of using password for both I would suggest investigating the possibility to use ssh public key authentication for both.

Improve this answer
1

As Tomek explained, the 2nd SSH client is run in a different environment. With the 'command' approach, this happens:

  1. You connect to server 1 using "password" authentication.
  2. Server 1 uses pam_krb5 and retrieves a Kerberos TGT ticket for you.
  3. From server 1, you connect to server 2 using "Kerberos" authentication.

With ProxyJump, both clients are equally local so the ticket retrieved in step 2 is useless, because it gets stored on server 1 but the second client isn't running there.

One way to solve this is to use Kerberos for the entire process, by using kinit to acquire a ticket – it will let you authenticate to all systems on that network:

  1. Obtain a ticket using:

    $ kinit [email protected]

    (The realm name is case-sensitive and almost always upper-case.)

    Use klist -f to check what tickets you have.

  2. Enable Kerberos authentication in SSH (as well as ticket forwarding because the specific system you're using probably needs it in order to access file storage):

    Host *.mit.edu
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Kerberos tickets stay valid for 10 hours; kinit -r 7d will let you get a renewable one that can be extended without password using kinit -R. You can use various methods such as k5start or GNOME's Kerberos integration to automate getting a ticket every day.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .