SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2017-02-10
Article Number
000040198
Applies To
RSA Product Set: Identity Governance & Lifecycle 
RSA Version/Condition: All
Issue
When testing the connector settings of an SSH AFX connector (AFX > Connectors > {connector-name} > Test Connector Settings), the test fails with the following message:
 
Failed connector settings test. Request timed out.
 
User-added image


The AFX mule log file, $AFX_HOME/esb/logs/mule_ee.log, has the following warnings: 
[Mule.app.deployer.monitor.1.thread.1] org.mule.module.launcher.DeploymentService: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+ Started app 'AFX-SETTINGS-Linux' + 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
Kerberos username [oracle]: WARNING - 
System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinitely.
 
No other log files report any errors or information related to this failure.

Running sshd with the -ddd debug option contains a message similar to: 
$ /usr/sbin/sshd -ddd
Postponed gssapi-with-mic for root from 100.44.55.11 port 41414 ssh2
Cause
Kerberos and/or GSSAPI Authentication have been configured for sshd
  • Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Reference taken from Wikipedia.com).
  • Generic Security Service Application Program Interface (GSSAPI) is an IETF standard for doing strong encrypted authentication in network based applications. OpenSSH uses this API and the underlying Kerberos 5 code to provide an alternative means of authentication other than ssh_keys. (Information taken from Using GSSAPI authentication at SLAC).
The RSA Identity Governance & Lifecycle  SSH AFX connector does not support (cannot handle) any additional layer of authentication.
Resolution

Disable Kerberos and/or GSSAPI

Disable Kerberos and or GSSAPI by editing /etc/ssh/sshd_config.

  1. Login as root.
  2. Open /etc/ssh/sshd_config in a text editor and and modify the following entries:
    1. ​Under Kerberos options, modify any entry that is uncommented and set to yes to no. For example,
From:
# Kerberos options
KerberosAuthentication yes
To:
# Kerberos options
KerberosAuthentication no
  1. Under GSSAPI options, set GSSAPIAuthentication and GSSAPICleanupCredentials to no. For example,
# GSSAPI options
GSSAPIAuthentication no 
GSSAPICleanupCredentials no
  1. Save the file and restart sshd using the following command:
​# service sshd restart
Notes

 

Related Articles

Trending Articles

Don't see what you're looking for?