[31842] in Kerberos
RE: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Sylvain Cortes)
Mon Jan 4 11:29:17 2010
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 4 Jan 2010 17:35:55 +0100
Message-ID: <2BD223F81AB8D84CB25AE521924FA71E6E23C5@vmsrv-exchange>
In-Reply-To: <b0ab74af1001040817k40b39128le6d629db3614acc5@mail.gmail.com>
From: "Sylvain Cortes" <s.cortes@cerberis.com>
To: "Marcello Mezzanotti" <marcello.mezzanotti@gmail.com>, <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I know that Centrify provides a kerberised verion of Putty for free: http://www.centrify.com/resources/putty.asp (just create a account, and download it)And this version is fully "compliant" with AD.This is perhaps a good first step for you.
Regards
Sylvain
Sylvain CortesPartnership manager Messagerie : mailto:s.cortes@cerberis.comBlog : www.identitycosmos.com30 cours libérationGrenoble 38100 Tél : +33 4 76 21 17 03Fax : +33 4 76 84 68 10 http://www.cerberis.com
--------------------------------------------------------------------------www.identitycosmos.com http://www.identitycosmos.com/http://www.identitycosmos.com/-------------------------------------------------------------------------- -----Message d'origine-----De : kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] De la part de Marcello MezzanottiEnvoyé : lundi 4 janvier 2010 17:17À : kerberos@mit.eduObjet : openssh + kerberos + windows ad
Hi all,
im not sure if its the correct list but,
Im trying to do kind of SSO, basically, i want to ssh a remote linuxmachine, using openssh/putty (what version), without password prompt,just with kerberos ticket.
I have the following scenario:
Windows Server 2003 R2 (with Unix Services installed), its the DC of my domainLinux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantionagainst my DC, its working fine, i can login remotely and localy withmy AD credentials and its working fine, as you can see bellow:
login as: mmezzanottiUsing keyboard-interactive authentication.Password:Last login: Wed Dec 30 14:00:19 2009 from localhostHave a lot of fun...mmezzanotti@os112:~> lsbin Documents Music Public TemplatesDesktop Download Pictures public_html Videosmmezzanotti@os112:~> klistTicket cache: FILE:/tmp/krb5cc_10002_b8QDZxDefault principal: mmezzanotti@VMWARELAB.INT
Valid starting Expires Service principal01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT renew until 01/05/10 13:58:36mmezzanotti@os112:~>
this linux machine in on my AD domain and i have a valid krb ticket.
im trying to use ssh to connect to this server, but i want to use mykrb ticket, not type password.
i have enabled gss api options in my sshd.config.# GSSAPI optionsGSSAPIAuthentication yesGSSAPICleanupCredentials yes
restarted opensshd but it doesnt work:
mmezzanotti@os112:~> ssh -vvv mmezzanotti@os112.vmwarelab.intOpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009debug1: Reading configuration data /etc/ssh/ssh_configdebug1: Applying options for *debug2: ssh_connect: needpriv 0debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.debug1: Connection established.debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2debug1: match: OpenSSH_5.2 pat OpenSSH*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_5.2debug2: fd 3 setting O_NONBLOCKdebug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug2: kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1debug2: kex_parse_kexinit: ssh-rsa,ssh-dssdebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit: none,zlib@openssh.com,zlibdebug2: kex_parse_kexinit: none,zlib@openssh.com,zlibdebug2: kex_parse_kexinit:debug2: kex_parse_kexinit:debug2: kex_parse_kexinit: first_kex_follows 0debug2: kex_parse_kexinit: reserved 0debug2: kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1debug2: kex_parse_kexinit: ssh-rsa,ssh-dssdebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96debug2: kex_parse_kexinit: none,zlib@openssh.comdebug2: kex_parse_kexinit: none,zlib@openssh.comdebug2: kex_parse_kexinit:debug2: kex_parse_kexinit:debug2: kex_parse_kexinit: first_kex_follows 0debug2: kex_parse_kexinit: reserved 0debug2: mac_setup: found hmac-md5debug1: kex: server->client aes128-ctr hmac-md5 nonedebug2: mac_setup: found hmac-md5debug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_GROUPdebug2: dh_gen_key: priv key bits set: 130/256debug2: bits set: 513/1024debug1: SSH2_MSG_KEX_DH_GEX_INIT sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_REPLYdebug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hostsdebug3: check_host_in_hostfile: match line 3debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hostsdebug3: check_host_in_hostfile: match line 3debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3debug2: bits set: 512/1024debug1: ssh_rsa_verify: signature correctdebug2: kex_derive_keysdebug2: set_newkeys: mode 1debug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug2: set_newkeys: mode 0debug1: SSH2_MSG_NEWKEYS receiveddebug1: SSH2_MSG_SERVICE_REQUEST sentdebug2: service_accept: ssh-userauthdebug1: SSH2_MSG_SERVICE_ACCEPT receiveddebug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug3: start over, passed a different listpublickey,gssapi-with-mic,keyboard-interactivedebug3: preferred gssapi-with-mic,publickey,keyboard-interactive,passworddebug3: authmethod_lookup gssapi-with-micdebug3: remaining preferred: publickey,keyboard-interactive,passworddebug3: authmethod_is_enabled gssapi-with-micdebug1: Next authentication method: gssapi-with-micdebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we did not send a packet, disable methoddebug3: authmethod_lookup publickeydebug3: remaining preferred: keyboard-interactive,passworddebug3: authmethod_is_enabled publickeydebug1: Next authentication method: publickeydebug1: Trying private key: /home/mmezzanotti/.ssh/id_rsadebug3: no such identity: /home/mmezzanotti/.ssh/id_rsadebug1: Trying private key: /home/mmezzanotti/.ssh/id_dsadebug3: no such identity: /home/mmezzanotti/.ssh/id_dsadebug2: we did not send a packet, disable methoddebug3: authmethod_lookup keyboard-interactivedebug3: remaining preferred: passworddebug3: authmethod_is_enabled keyboard-interactivedebug1: Next authentication method: keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)debug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: userauth_kbdintdebug2: we sent a keyboard-interactive packet, wait for replydebug2: input_userauth_info_reqdebug2: input_userauth_info_req: num_prompts 1Password:debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)Received disconnect from 192.168.86.14: 2: Too many authenticationfailures for mmezzanotti
bellow the lines about gssapi auth:
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,passworddebug3: authmethod_lookup gssapi-with-micdebug3: remaining preferred: publickey,keyboard-interactive,passworddebug3: authmethod_is_enabled gssapi-with-micdebug1: Next authentication method: gssapi-with-micdebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we sent a gssapi-with-mic packet, wait for replydebug1: Authentications that can continue:publickey,gssapi-with-mic,keyboard-interactivedebug2: we did not send a packet, disable method
anyone could help me?
another question, i downloaded a lot of patched putty clients withgssapi support (to use on windows machines), what is the correct one?
thank you,Marcello
--Marcello Mezzanotti <marcello.mezzanotti@gmail.com>http://blogdomarcello.wordpress.comInformation SecurityUNIX / Linux / *BSD
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
Ce message contient des informations confidentielles destinées uniquement à kerberos@mit.edu, marcello.mezzanotti@gmail.com. Si vous n'êtes pas kerberos@mit.edu, marcello.mezzanotti@gmail.com, vous ne devez pas diffuser, distribuer ni copier ce message électronique. Si vous avez reçu ce message électronique par erreur, veuillez en notifier immédiatement s.cortes@cerberis.com par messagerie électronique et supprimer le message de votre système. Il n’est pas possible de garantir que les communications par messagerie électronique se feront de manière totalement sécurisée et exempte d’erreur en raison des possibilités d’interception, de corruption, de perte, de destruction, de réception tardive ou incomplète ou de la présence de virus. De ce fait, décline toute responsabilité en cas d’erreur ou d’omission dans le contenu de ce message en raison de sa transmission par messagerie électronique. Si une vérification s’avère nécessaire, veuillez demander une copie imprimée.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
