000034818 - RSA Identity Governance and Lifecycle SSH connector failing due to operating system authentication being enabled

Document created by RSA Customer Support Employee on Feb 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034818
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
 
Issue
  • The SSH connectors Test Connector Settings button fails with the following message:
Request timed out
User-added image

  • No other logs are updated, other than the mule_ee.log with the following message: 
[Mule.app.deployer.monitor.1.thread.1] org.mule.module.launcher.DeploymentService: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+ Started app 'AFX-SETTINGS-Linux' + 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Kerberos username [oracle]: WARNING - System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely. 
Kerberos username [oracle]: WARNING - System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely. 
Kerberos username [oracle]: WARNING - System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.

  • Running sshd with -ddd debug option contains a message similar to:
$ /usr/sbin/sshd -ddd
Postponed gssapi-with-mic for root from 100.44.55.11 port 41414 ssh2
CauseKerberos and/or GSSAPI Authentication have been configured for sshd. 
Kerberos is a computer network authentication protocol that works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Reference taken from Wikipedia.com).

Generic Security Service Application Program Interface (GSSAPI) is a IETF standard for doing strong encrypted authentication in network based applications. OpenSSH uses this API and the underlying Kerberos 5 code to provide a alternative means of authentication other than ssh_keys. (Information from Using GSSAPI authentication at SLAC).


The RSA Identity Governance and Lifecycle SSH connector does not support any additional layer of authentication, as we cannot handle them.
Resolution

Disable Kerberos and/or GSSAPI


Disable Kerberos and or GSSAPI by editing /etc/ssh/sshd_config.


  1. Login as root.
  2. Open /etc/ssh/sshd_config in a text editor and and modify the following entries:
    1. Under Kerberos options, modify any entry that is uncommented and set to yes to no.  For example,
From:

# Kerberos options
KerberosAuthentication yes

To:

# Kerberos options
KerberosAuthentication no

  1. Under GSSAPI options, set GSSAPIAuthentication and GSSAPICleanupCredentials to no.  For example,
# GSSAPI options
GSSAPIAuthentication no 
GSSAPICleanupCredentials no

  1. Save the file and restart sshd using the following command:
$ service sshd restart
Notes
 

Attachments

    Outcomes