[31844] in Kerberos
Re: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Mon Jan 4 12:29:28 2010
Message-ID: <9A9815F150B54BCDAD6D9E3BBB61B331@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Marcello Mezzanotti" <marcello.mezzanotti@gmail.com>, <kerberos@mit.edu>
Date: Mon, 4 Jan 2010 11:30:34 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Marcello,
Can you show us the output of klist -kte (as root) on the machine
running sshd? You need to have a proper keytab for ssh to use GSSAPI
authentication.
Against AD, you can generate a keytab using ktpass.exe. Make sure you
are using the 2003 SP2 version (or newer) of ktpass as some known
problems were fixed. http://support.microsoft.com/kb/926027
There are several of us in the #kerberos IRC channel on Freenode if you
would like some interactive help in getting this to work.
<<CDC
Marcello Mezzanotti <marcello.mezzanotti@gmail.com> wrote:
> Hans,
>
> Thaks for your help, my sshd_config options match yours, sshd_config
> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
>
> I continue to receive the "we sent a gssapi-with-mic packet, wait for
> reply" DEBUG message and the ssh tries password auth.
>
> i saw something related to krb5.keytab, do you know something about
> this file?
>
> thank you,
> marcello
>
>
>
> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans@woefdram.nl>
> wrote:
>> Hi Marcello,
>>
>> A while ago I created the same construction that you want: ssh to a
>> Linux machine and login automatically with Kerberos. My KDC also is
>> a Windows 2003 box with UNIX Services installed. It's been a while,
>> and I don't remember a lot of details. I remember it did take quit a
>> bit of work though :)
>>
>> In the logs you sent, I can't really find anything, but it "feels"
>> like an incomplete SSH daemon configuration.
>>
>> In my sshd-config there are also these lines:
>>
>> PasswordAuthentication no
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd no
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> On my client machine, I configured /etc/ssh/ssh_config with:
>>
>> GSSAPIKeyExchange yes
>> GSSAPITrustDNS yes
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> I hope this will help you a bit. If not, please post the
>> configuration of both the ssh-server and the ssh-client and I'll
>> have a closer look.
>>
>> Kind regards,
>>
>> Hans
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
