Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Kerberos for SSH bastion #10364

Open
ingomueller-net opened this issue Dec 9, 2020 · 1 comment
Open

Support Kerberos for SSH bastion #10364

ingomueller-net opened this issue Dec 9, 2020 · 1 comment
Labels
communicator/ssh enhancement

Comments

@ingomueller-net
Copy link

Please search the existing issues for relevant feature requests, and use the reaction feature (https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to add upvotes to pre-existing requests.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

I working in an environment behind a corporate proxy, so I need an SSH bastion host to use the ebs-volume builder. The environment is also kerberized, so SSHing into different machines does not always work with public keys. (The problem is that the home folder can only be mounted after connecting, so public keys are not present yet when the login is being authenticated.) In my shell, I can make the login passwordless by setting the following options in ~/.ssh/config:

GSSAPIKeyExchange yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

This uses my local Kerberos ticket for the SSH login.

My current work-around is to log into the bastion host in a different shell such that the home folder is mounted. This makes the current bastion mechanism work with public key authentification.

Potential configuration

This could be achieved by (1) using my local SSH configuration, where I have set up things correctly or (2) providing an option to enable Kerberized SSH authentication.
@znewman01
Copy link

znewman01 commented Feb 15, 2021
edited
Loading

I looked briefly into what it would take to implement this.

Packer uses the Go x/crypto/ssh package for SSH support; this package doesn't support Kerberos (and it doesn't seem like it will anytime soon). There's a ~200 LoC implementation based on a pure-Go Kerberos library; using it is a little complicated. That is, it's not quite so simple as wiring in a new configuration option for the SSH communicator that we can just pass through.

I have a workaround (my bastion also supports keyboard-interactive auth), so I won't wind up writing a PR, unfortunately. But I wanted to give some context in case some brave soul wants to pick up where I left off. Another workaround might involve basically re-implementing the provisioner you want using a local shell provisioner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
communicator/ssh enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@znewman01 @SwampDragons @ingomueller-net