SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle

Header

Title	SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle

URL Name	SSH-AFX-test-connector-settings-fails-with-Request-timed-out-and-a-Kerberos-username-warning-in-RSA-Identity-Governance-Lifecycle

Summary	SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	2,635.71

Article Content

Translate To

Applies To

RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: All

Issue

When testing the connector settings of an SSH AFX connector (AFX > Connectors > {connector-name} > Test Connector Settings), the test fails with the following message:

Failed connector settings test. Request timed out.

The AFX mule log file, $AFX_HOME/esb/logs/mule_ee.log, has the following warnings:

[Mule.app.deployer.monitor.1.thread.1] org.mule.module.launcher.DeploymentService: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+ Started app 'AFX-SETTINGS-Linux' + 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.

No other log files report any errors or information related to this failure.

Running sshd with the -ddd debug option contains a message similar to:

$ /usr/sbin/sshd -ddd
Postponed gssapi-with-mic for root from 100.44.55.11 port 41414 ssh2

Cause

Kerberos and/or GSSAPI Authentication have been configured for sshd.

Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Reference taken from Wikipedia.com).
Generic Security Service Application Program Interface (GSSAPI) is an IETF standard for doing strong encrypted authentication in network based applications. OpenSSH uses this API and the underlying Kerberos 5 code to provide an alternative means of authentication other than ssh_keys. (Information taken from Using GSSAPI authentication at SLAC).

The RSA Identity Governance & Lifecycle SSH AFX connector does not support (cannot handle) any additional layer of authentication.

Resolution

Disable Kerberos and/or GSSAPI

Disable Kerberos and or GSSAPI by editing /etc/ssh/sshd_config.

Login as root.
Open /etc/ssh/sshd_config in a text editor and and modify the following entries:
1. Under Kerberos options, modify any entry that is uncommented and set to yes to no. For example,

From:

# Kerberos options
KerberosAuthentication yes

To:

# Kerberos options
KerberosAuthentication no

Under GSSAPI options, set GSSAPIAuthentication and GSSAPICleanupCredentials to no. For example,

# GSSAPI options
GSSAPIAuthentication no 
GSSAPICleanupCredentials no

Save the file and restart sshd using the following command:

# service sshd restart

Workaround

Notes

Legacy Article ID 000034818

Article Settings

Audience	External

Article Source	Case

Original Article Author	Erika dos Santos

Original Created Date	2/10/2017 3:50 PM

Owner	Erika dos Santos

Article Assignment

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Article Properties

Publication Status	Published

Article Type	Knowledge

Article Number	000040198

Created By	Erika dos Santos

Last Modified By	Katrina Nash

Language	English