[31841] in Kerberos
openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Marcello Mezzanotti)
Mon Jan 4 11:17:11 2010
MIME-Version: 1.0
In-Reply-To: <b0ab74af1001040813y3a6cff01na482db4b6ecb56c3@mail.gmail.com>
Date: Mon, 4 Jan 2010 14:17:05 -0200
Message-ID: <b0ab74af1001040817k40b39128le6d629db3614acc5@mail.gmail.com>
From: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi all,
im not sure if its the correct list but,
Im trying to do kind of SSO, basically, i want to ssh a remote linuxmachine, using openssh/putty (what version), without password prompt,just with kerberos ticket.
I have the following scenario:
Windows Server 2003 R2 (with Unix Services installed), its the DC of my domainLinux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantionagainst my DC, its working fine, i can login remotely and localy withmy AD credentials and its working fine, as you can see bellow:
login as: mmezzanottiUsing keyboard-interactive authentication.Password:Last login: Wed Dec 30 14:00:19 2009 from localhostHave a lot of fun...mmezzanotti@os112:~> lsbin Documents Music Public TemplatesDesktop Download Pictures public_html Videosmmezzanotti@os112:~> klistTicket cache: FILE:/tmp/krb5cc_10002_b8QDZxDefault principal: mmezzanotti@VMWARELAB.INT
Valid starting Expires Service principal01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT renew until 01/05/10 13:58:36mmezzanotti@os112:~>
this linux machine in on my AD domain and i have a valid krb ticket.
im trying to use ssh to connect to this server, but i want to use mykrb ticket, not type password.
i have enabled gss api options in my sshd.config.# GSSAPI optionsGSSAPIAuthentication yesGSSAPICleanupCredentials yes
restarted opensshd but it doesnt work:
mmezzanotti@os112:~> ssh -vvv mmezzanotti@os112.vmwarelab.intOpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009debug1: Reading configuration data /etc/ssh/ssh_configdebug1: Applying options for *debug2: ssh_connect: needpriv 0debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.debug1: Connection established.debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2debug1: match: OpenSSH_5.2 pat OpenSSH*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_5.2debug2: fd 3 setting O_NONBLOCKdebug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug2: kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1debug2: kex_parse_kexinit: ssh-rsa,ssh-dssdebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit: none,zlib@openssh.com,zlibdebug2: kex_parse_kexinit: none,zlib@openssh.com,zlibdebug2: kex_parse_kexinit:debug2: kex_parse_kexinit:debug2: kex_parse_kexinit: first_kex_follows 0debug2: kex_parse_kexinit: reserved 0debug2: kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1debug2: kex_parse_kexinit: ssh-rsa,ssh-dssdebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit: none,zlib@openssh.comdebug2: kex_parse_kexinit: none,zlib@openssh.comdebug2: kex_parse_kexinit:debug2: kex_parse_kexinit:debug2: kex_parse_kexinit: first_kex_follows 0debug2: kex_parse_kexinit: reserved 0debug2: mac_setup: found hmac-md5debug1: kex: server->client aes128-ctr hmac-md5 nonedebug2: mac_setup: found hmac-md5debug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_GROUPdebug2: dh_gen_key: priv key bits set: 130/256debug2: bits set: 513/1024debug1: SSH2_MSG_KEX_DH_GEX_INIT sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_REPLYdebug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hostsdebug3: check_host_in_hostfile: match line 3debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hostsdebug3: check_host_in_hostfile: match line 3debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3debug2: bits set: 512/1024debug1: ssh_rsa_verify: signature correctdebug2: kex_derive_keysdebug2: set_newkeys: mode 1debug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug2: set_newkeys: mode 0debug1: SSH2_MSG_NEWKEYS receiveddebug1: SSH2_MSG_SERVICE_REQUEST sentdebug2: service_accept: ssh-userauthdebug1: SSH2_MSG_SERVICE_ACCEPT receiveddebug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug3: start over, passed a different listpublickey,gssapi-with-mic,keyboard-interactivedebug3: preferred gssapi-with-mic,publickey,keyboard-interactive,passworddebug3: authmethod_lookup gssapi-with-micdebug3: remaining preferred: publickey,keyboard-interactive,passworddebug3: authmethod_is_enabled gssapi-with-micdebug1: Next authentication method: gssapi-with-micdebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we did not send a packet, disable methoddebug3: authmethod_lookup publickeydebug3: remaining preferred: keyboard-interactive,passworddebug3: authmethod_is_enabled publickeydebug1: Next authentication method: publickeydebug1: Trying private key: /home/mmezzanotti/.ssh/id_rsadebug3: no such identity: /home/mmezzanotti/.ssh/id_rsadebug1: Trying private key: /home/mmezzanotti/.ssh/id_dsadebug3: no such identity: /home/mmezzanotti/.ssh/id_dsadebug2: we did not send a packet, disable methoddebug3: authmethod_lookup keyboard-interactivedebug3: remaining preferred: passworddebug3: authmethod_is_enabled keyboard-interactivedebug1: Next authentication method: keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)Received disconnect from 192.168.86.14: 2: Too many authenticationfailures for mmezzanotti
bellow the lines about gssapi auth:
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,passworddebug3: authmethod_lookup gssapi-with-micdebug3: remaining preferred: publickey,keyboard-interactive,passworddebug3: authmethod_is_enabled gssapi-with-micdebug1: Next authentication method: gssapi-with-micdebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we did not send a packet, disable method
anyone could help me?
another question, i downloaded a lot of patched putty clients withgssapi support (to use on windows machines), what is the correct one?
thank you,Marcello
--Marcello Mezzanotti <marcello.mezzanotti@gmail.com>http://blogdomarcello.wordpress.comInformation SecurityUNIX / Linux / *BSD
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
