000034818 - SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Feb 10, 2017Last modified by RSA Customer Support on Nov 4, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034818
Applies ToRSA Product Set: Identity Governance & Lifecycle 
RSA Version/Condition: All
IssueWhen testing the connector settings of an SSH AFX connector (AFX > Connectors > {connector-name} > Test Connector Settings), the test fails with the following message:
 
Failed connector settings test. Request timed out.


 


User-added image



The AFX mule log file, $AFX_HOME/esb/logs/mule_ee.log, has the following warnings:


[Mule.app.deployer.monitor.1.thread.1] org.mule.module.launcher.DeploymentService: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+ Started app 'AFX-SETTINGS-Linux' + 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.


 


No other log files report any errors or information related to this failure.


Running sshd with the -ddd debug option contains a message similar to:


$ /usr/sbin/sshd -ddd
Postponed gssapi-with-mic for root from 100.44.55.11 port 41414 ssh2
CauseKerberos and/or GSSAPI Authentication have been configured for sshd
  • Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Reference taken from Wikipedia.com).
  • Generic Security Service Application Program Interface (GSSAPI) is an IETF standard for doing strong encrypted authentication in network based applications. OpenSSH uses this API and the underlying Kerberos 5 code to provide an alternative means of authentication other than ssh_keys. (Information taken from Using GSSAPI authentication at SLAC).
The RSA Identity Governance & Lifecycle  SSH AFX connector does not support (cannot handle) any additional layer of authentication.
Resolution

Disable Kerberos and/or GSSAPI



Disable Kerberos and or GSSAPI by editing /etc/ssh/sshd_config.



  1. Login as root.
  2. Open /etc/ssh/sshd_config in a text editor and and modify the following entries:
    1. Under Kerberos options, modify any entry that is uncommented and set to yes to no. For example,

From:



# Kerberos options
KerberosAuthentication yes


To:



# Kerberos options
KerberosAuthentication no


  1. Under GSSAPI options, set GSSAPIAuthentication and GSSAPICleanupCredentials to no. For example,


# GSSAPI options
GSSAPIAuthentication no 
GSSAPICleanupCredentials no


  1. Save the file and restart sshd using the following command:


# service sshd restart
Notes
 

Attachments

    Outcomes