[31845] in Kerberos
Re: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Marcello Mezzanotti)
Mon Jan 4 12:40:36 2010
MIME-Version: 1.0
In-Reply-To: <9A9815F150B54BCDAD6D9E3BBB61B331@CDCHOME>
Date: Mon, 4 Jan 2010 15:40:30 -0200
Message-ID: <b0ab74af1001040940m65d4a422pe3db9ad9c3b75e93@mail.gmail.com>
From: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
To: "Christopher D. Clausen" <cclausen@acm.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
CDC,
Unfortunately i cant use IRC here, as i imagine i dont have any keytab fileos112:~ # klist -kteKeytab name: WRFILE:/etc/krb5.keytabklist: No such file or directory while starting keytab scan
how i can generate this file directly on linux?if i generate this file on windows, can i export it to linux?
btw, im using windows server 2003 r2 enterprise sp2.
thank you,marcello
On Mon, Jan 4, 2010 at 3:30 PM, Christopher D. Clausen <cclausen@acm.org> wrote:> Marcello,>> Can you show us the output of klist -kte (as root) on the machine running> sshd? You need to have a proper keytab for ssh to use GSSAPI> authentication.>> Against AD, you can generate a keytab using ktpass.exe. Make sure you are> using the 2003 SP2 version (or newer) of ktpass as some known problems were> fixed. http://support.microsoft.com/kb/926027>> There are several of us in the #kerberos IRC channel on Freenode if you> would like some interactive help in getting this to work.>> <<CDC>> Marcello Mezzanotti <marcello.mezzanotti@gmail.com> wrote:>>>> Hans,>>>> Thaks for your help, my sshd_config options match yours, sshd_config>> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.>>>> I continue to receive the "we sent a gssapi-with-mic packet, wait for>> reply" DEBUG message and the ssh tries password auth.>>>> i saw something related to krb5.keytab, do you know something about>> this file?>>>> thank you,>> marcello>>>>>>>> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans@woefdram.nl>>> wrote:>>>>>> Hi Marcello,>>>>>> A while ago I created the same construction that you want: ssh to a>>> Linux machine and login automatically with Kerberos. My KDC also is>>> a Windows 2003 box with UNIX Services installed. It's been a while,>>> and I don't remember a lot of details. I remember it did take quit a>>> bit of work though :)>>>>>> In the logs you sent, I can't really find anything, but it "feels">>> like an incomplete SSH daemon configuration.>>>>>> In my sshd-config there are also these lines:>>>>>> PasswordAuthentication no>>> KerberosAuthentication yes>>> KerberosOrLocalPasswd no>>> KerberosTicketCleanup yes>>> GSSAPIAuthentication yes>>> GSSAPICleanupCredentials yes>>>>>> On my client machine, I configured /etc/ssh/ssh_config with:>>>>>> GSSAPIKeyExchange yes>>> GSSAPITrustDNS yes>>> GSSAPIAuthentication yes>>> GSSAPIDelegateCredentials yes>>>>>> I hope this will help you a bit. If not, please post the>>> configuration of both the ssh-server and the ssh-client and I'll>>> have a closer look.>>>>>> Kind regards,>>>>>> Hans>>
-- Marcello Mezzanotti <marcello.mezzanotti@gmail.com>http://blogdomarcello.wordpress.comInformation SecurityUNIX / Linux / *BSD
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
