Problem:
I would like to use kerberos for authentication on remote execution jobs, but I am not sure I am installing and enabling it correctly.
I attempted to make the plugin available via foreman-installer:
foreman-installer -v --foreman-proxy-plugin-remote-execution-ssh-ssh-kerberos-auth
Then set :kerberos_auth: true
in /etc/smart_proxy_dynflow_core/settings.d/remote_execution_ssh.yml
I am under the impression foreman should now attempt kerberos auth before falling back to key-based authenticaiton.
My question now may be about kerberos more than foreman – how do I ensure that foreman-proxy has a valid TGT? I use FreeIPA for identity management and kerberos, is it as simple as creating an account for foreman-proxy, or does it need a service principle?
Expected outcome:
Enabling kerberos authentication for remote execution and configuring an account with a kerberos TGT for running remote commands.
Foreman and Proxy versions:
Foreman 1.21.4 and Smart Proxy 1.21.4
Distribution and version:
CentOS 7.7