SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle

3 years ago

Originally Published: 2017-02-10

Article Number

000040198

Applies To

RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: All

Issue

When testing the connector settings of an SSH AFX connector (AFX > Connectors > {connector-name} > Test Connector Settings), the test fails with the following message:

Failed connector settings test. Request timed out.

The AFX mule log file, $AFX_HOME/esb/logs/mule_ee.log, has the following warnings:

[Mule.app.deployer.monitor.1.thread.1] org.mule.module.launcher.DeploymentService: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+ Started app 'AFX-SETTINGS-Linux' + 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.

No other log files report any errors or information related to this failure.

Running sshd with the -ddd debug option contains a message similar to:

$ /usr/sbin/sshd -ddd
Postponed gssapi-with-mic for root from 100.44.55.11 port 41414 ssh2

Cause

Kerberos and/or GSSAPI Authentication have been configured for sshd.

Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Reference taken from Wikipedia.com).
Generic Security Service Application Program Interface (GSSAPI) is an IETF standard for doing strong encrypted authentication in network based applications. OpenSSH uses this API and the underlying Kerberos 5 code to provide an alternative means of authentication other than ssh_keys. (Information taken from Using GSSAPI authentication at SLAC).

The RSA Identity Governance & Lifecycle SSH AFX connector does not support (cannot handle) any additional layer of authentication.

Resolution

Disable Kerberos and/or GSSAPI

Disable Kerberos and or GSSAPI by editing /etc/ssh/sshd_config.

Login as root.
Open /etc/ssh/sshd_config in a text editor and and modify the following entries:
1. Under Kerberos options, modify any entry that is uncommented and set to yes to no. For example,

From:

# Kerberos options
KerberosAuthentication yes

To:

# Kerberos options
KerberosAuthentication no

Under GSSAPI options, set GSSAPIAuthentication and GSSAPICleanupCredentials to no. For example,

# GSSAPI options
GSSAPIAuthentication no 
GSSAPICleanupCredentials no

Save the file and restart sshd using the following command:

# service sshd restart

Notes

Don't see what you're looking for?

Disable Kerberos and/or GSSAPI

Related Articles

Trending Articles