Kerberos auth via jsch (gssapi-with-mic missing?)

[Andy Bohne]

I'm trying to configure rundeck such that my tasks that are dispatched via SSH use kerberos for authentication.  I've got an account named rundeck and created a keytab which allows that user to successfully authenticate to other servers using kerberos.  However, when I attempt to dispatch a job using the SSH executor, rundeck is unable to authenticate.  When I view the verbose output, I see that the available authentication methods are as follows:

Authentications that can continue: publickey,password,keyboard-interactive

Since I don't see gssapi-with-mic as an available authentication method, that explains why I can't authenticate.

I'm not sure what I'm missing in my config to resolve this.  Here's some info on my config:

OS: RHEL 6.4

Rundeck version: rundeck-1.6.1-1.4.GA.noarch (RPM install)

/etc/rundeck/jaas-loginmodule.conf:

RDpropertyfilelogin {

org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required

debug="true"

file="/etc/rundeck/realm.properties";

  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true useKeyTab=true keyTab="/var/lib/rundeck/keytab" debug=true;

};

/etc/rundeck/profile:

...

export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf \

        -Dloginmodule.name=RDpropertyfilelogin \

...

Any suggestions would be appreciated.

[Moses Lei]

It's likely that jsch doesn't read your local kerberos config. I would use OpenSSH instead. There's a section in the manual about using openssh as the executor.

Moses

--

Moses Lei

Principal, Village Chime LLC

mobile: +1 703 901 5969 | skype: moseslei | yahoo: moseslei

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Greg Schueler]

Hi Andy,

Right now the built-in SSH component uses a hardcoded list of allowed authentications: publickey,password,keyboard-interactive.

That should be made configurable.  (Please file a github issue).  

The alternative is to use OpenSSH as Moses mentioned.

--
Greg Schueler

--

[Andy Bohne]

Thanks Greg.  I've opened https://github.com/dtolabs/rundeck/issues/551

[Andy Bohne]

Sorry for dragging up an old thread.  I saw #551 was closed and that authentication types are now user configurable.  However, this didn't fix my original problem, which is that I need gssapi-with-mic authentication to be available.

I looked through the source and it appears that core/src/main/java/com/dtolabs/rundeck/core/tasks/net/SSHTaskBuilder.java could be modified to accept gssapi-with-mic.

At first glance, it appears the following modifications would be necessary:

public static enum AuthenticationType would need an additional value (e.g. kerberos)

and then a section would need to be added to the switch (authenticationType) section.

If this is correct, I'll see if I can submit a PR, or if you'd prefer I can just log a github issue?

[Alex Honor]

Hi Andy,

Please do submit a PR and github issue to track the change :)

Thanks

--

You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alex Honor

[SimplifyOps, Inc | a...@simplifyops.com ]

Be sure to comment and vote on Rundeck Feature Development!

[Andy Bohne]

OK.  I've created https://github.com/rundeck/rundeck/issues/847.  I will hopefully have a PR to go along with it sometime this week.

Alex Honor

[SimplifyOps, Inc | a....@simplifyops.com ]

[Alex Honor]

Thanks Andy.

Alex Honor

[SimplifyOps, Inc | a...@simplifyops.com ]