[31847] in Kerberos
Re: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Marcello Mezzanotti)
Mon Jan 4 12:56:30 2010
MIME-Version: 1.0
In-Reply-To: <a64bf031001040941o15cd7d98vf9214115a1ce2425@mail.gmail.com>
Date: Mon, 4 Jan 2010 15:56:14 -0200
Message-ID: <b0ab74af1001040956q582ae3e8u92e07a00e4c7caa8@mail.gmail.com>
From: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
To: Javier Palacios <javiplx@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Javier,
Im trying ticket auth, password auth against AD (KDC) (krb+ldap pam)is working fine:
mmezzanotti@os112:~> klistTicket cache: FILE:/tmp/krb5cc_10002_b8QDZxDefault principal: mmezzanotti@VMWARELAB.INT
Valid starting Expires Service principal01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT renew until 01/05/10 13:58:3601/04/10 14:09:23 01/04/10 23:58:37 host/os112.vmwarelab.int@VMWARELAB.INT renew until 01/05/10 13:58:36
i got this tickets doing ssh with password auth but now i have ticketsi want to use ssh without password (just tickets)
thank you,marcello
On Mon, Jan 4, 2010 at 3:41 PM, Javier Palacios <javiplx@gmail.com> wrote:>> login as: mmezzanotti>> Using keyboard-interactive authentication.>> Password:>> Last login: Wed Dec 30 14:00:19 2009 from localhost>> Have a lot of fun...>> mmezzanotti@os112:~> ls>> bin Documents Music Public Templates>> Desktop Download Pictures public_html Videos>> mmezzanotti@os112:~> klist>> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx>> Default principal: mmezzanotti@VMWARELAB.INT>>>> Valid starting Expires Service principal>> 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT>> renew until 01/05/10 13:58:36>> I'm not sure if you are actually testing ticket authentication, but> just kerberos password authentication (by far much easier).> To actually check what you want, I recommend you start working just on> the linux node, and enter as whichever user. then> # kinit mmezzanotti> # ssh mmezzanotti@os112> If it does ask you for password, then credential authentication is not> working. And depending if your TGT was proxyable or not, you might> even end with void output from klist.>> Someone answered about the need of a host keytab to achieve this. As> far as I remember that is not mandatory for linux (or wasn't for a> debian in 2004), but take into account.>>> mmezzanotti@os112:~> ssh -vvv mmezzanotti@os112.vmwarelab.int>>>> Try adding 'debug' to all pam.d lines on kerberos. That will produce a> much less verbose and hopefully more useful info.>
-- Marcello Mezzanotti <marcello.mezzanotti@gmail.com>http://blogdomarcello.wordpress.comInformation SecurityUNIX / Linux / *BSD
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
