[31863] in Kerberos
Re: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Hans van Zijst)
Tue Jan 5 15:57:17 2010
Message-ID: <4B430DA9.40608@woefdram.nl>
Date: Tue, 05 Jan 2010 11:00:09 +0100
From: Hans van Zijst <hans@woefdram.nl>
MIME-Version: 1.0
In-Reply-To: <mailman.137.1262625507.4612.kerberos@mit.edu>
X-Originally-To: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Marcello,
Ah, you didn't have a keytab. I assumed you did :)
I used Windows to create the key and added it to /etc/krb5.keytab with
ktutil. Perhaps these entries in /etc/krb5.conf make a difference. In
your case, YaST has probably taken care of this file, but this is what I
have put into it (apart from the other stuff like realm name and so):
[libdefaults]
forwardable = true
proxiable = true
[appdefaults]
forwardable = yes
validate = true
Kind regards,
Hans
Marcello Mezzanotti wrote:
> Hans,
>
> Thaks for your help, my sshd_config options match yours, sshd_config
> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
>
> I continue to receive the "we sent a gssapi-with-mic packet, wait for
> reply" DEBUG message and the ssh tries password auth.
>
> i saw something related to krb5.keytab, do you know something about this file?
>
> thank you,
> marcello
>
>
>
> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans@woefdram.nl> wrote:
>> Hi Marcello,
>>
>> A while ago I created the same construction that you want: ssh to a Linux
>> machine and login automatically with Kerberos. My KDC also is a Windows 2003
>> box with UNIX Services installed. It's been a while, and I don't remember a
>> lot of details. I remember it did take quit a bit of work though :)
>>
>> In the logs you sent, I can't really find anything, but it "feels" like an
>> incomplete SSH daemon configuration.
>>
>> In my sshd-config there are also these lines:
>>
>> PasswordAuthentication no
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd no
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> On my client machine, I configured /etc/ssh/ssh_config with:
>>
>> GSSAPIKeyExchange yes
>> GSSAPITrustDNS yes
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> I hope this will help you a bit. If not, please post the configuration of
>> both the ssh-server and the ssh-client and I'll have a closer look.
>>
>> Kind regards,
>>
>> Hans
>>
>>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
