[31843] in Kerberos

home help back first fref pref prev next nref lref last post

Re: openssh + kerberos + windows ad

daemon@ATHENA.MIT.EDU (Marcello Mezzanotti)
Mon Jan 4 12:18:38 2010

MIME-Version: 1.0
In-Reply-To: <4B421EDD.5040502@woefdram.nl>
Date: Mon, 4 Jan 2010 15:18:18 -0200
Message-ID: <b0ab74af1001040918wa2a4d5bh1734cb59b64db258@mail.gmail.com>
From: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
To: Hans van Zijst <hans@woefdram.nl>, kerberos@mit.edu,
   secureshell@securityfocus.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hans,

Thaks for your help,  my sshd_config options match yours, sshd_config
doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.

I continue to receive the "we sent a gssapi-with-mic packet, wait for
reply" DEBUG message and the ssh tries password auth.

i saw something related to krb5.keytab, do you know something about this file?

thank you,
marcello



On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans@woefdram.nl> wrote:
> Hi Marcello,
>
> A while ago I created the same construction that you want: ssh to a Linux
> machine and login automatically with Kerberos. My KDC also is a Windows 2003
> box with UNIX Services installed. It's been a while, and I don't remember a
> lot of details. I remember it did take quit a bit of work though :)
>
> In the logs you sent, I can't really find anything, but it "feels" like an
> incomplete SSH daemon configuration.
>
> In my sshd-config there are also these lines:
>
> PasswordAuthentication no
> KerberosAuthentication yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> On my client machine, I configured /etc/ssh/ssh_config with:
>
> GSSAPIKeyExchange yes
> GSSAPITrustDNS yes
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> I hope this will help you a bit. If not, please post the configuration of
> both the ssh-server and the ssh-client and I'll have a closer look.
>
> Kind regards,
>
> Hans
>
>


-- 
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post