Forwarding Kerberos Credentials - SSH

Tue Jun 17 08:58:29 EDT 2003

> > 1. Do I have to  compile openssh on all the  linux servers after
> >     applying Simon Wilkinson's gss-api patch from -
> >     http://www.sxw.org.uk/computing/patches/openssh.html
>
> Yes, if you want to use protocol 2.  If you use protocol 1, you don't
> need the patches.  I highly recommend protocol 2 for Kerberos use.
>
>
> You haven't described your setup well enough to get any help.  (Other
> than the above 2 questions, however you got them both right.)  Most
> importantly, you haven't described whether krb5 works at all.
>
> Try /usr/kerberos/bin/telnet on your Linux machine and see if that works.
> If not, the problem is in your krb5 setup, not openssh.

Thanks, Frank for the reply.

I am elaborating a bit, as requested by you
so that I make myself more clear -

1) I have a rhlinux 9 test server configured as a kerberos client to the
    Windows 2000 KDC. (I know it is properly configured as we are using
    the same setup on our production servers for the past one year, only
that
    we have never been able to forward kerberos credentials.)

2) I have the following krb5 and openssh "rpms" installed on this rhlinux 9
test server -

krb5-server-1.2.7-10
krb5-workstation-1.2.7-10
krb5-libs-1.2.7-10
krb5-devel-1.2.7-10
pam_krb5-1.60-1
openssh-3.5p1-6
openssh-server-3.5p1-6
openssh-clients-3.5p1-6

3) I am using SSH Secure Shell from www.ssh.com to connect to this  rhlinux
9
test server from a windows client.

4) I am able to ssh to this linux test server using "SSH Secure Shell" from
a windows
client using my kerberos password. I am able to get kerberos credentials
which I can
verify by issuing the command -   "klist -5af"   which gives this result -
-------------------------------------------------------------------------
 Ticket cache: FILE:/tmp/krb5cc_1002_CBmkCB
Default principal: paragg at TEST.NCST.ERNET.IN

Valid starting     Expires            Service principal
06/17/03 17:40:01  06/18/03 03:40:01
krbtgt/TEST.NCST.ERNET.IN at TEST.NCST.ERNET.IN
        renew until 06/18/03 03:40:01, Flags: FPRIA
        Addresses: kripa.ncst.ernet.in
----------------------------------------------------------------------------
-

5) But when I ssh  to another linux server in the
same kerberos domain from the already connected ssh session,
the credentials do not get forwarded, instead I am again prompted for a
password.

6) I am able to login to that another linux server by providing the kerberos
password
again and I get another set of kerberos credentials which I have verified.

I draw the following conclusions from these -
    1. krb5 is working fine.
    2. ssh with rpm install is also working fine as I get the kerberos
        credentials only that I am not able to forward them.
    3. I must compile openssh with gss-api patch to enable forwarding of
        kerberos credentials obtained from Win2k KDC.

7) So now I compile openssh-3.6.1p2 after applying the gss-api
    patch on the rhlinux 9 test server and install it in /usr/local
    as follows -
       ./configure --with-kerberos5=/usr/kerberos
        autoreconf
        make
        make install

8) I stop the stop the "sshd" daemon from /etc/init.d and start the newly
compiled
    daemon - /usr/local/sbin/sshd & .

9) Now it doesn't seem to work as I am not able to ssh to the linux
    test server using my kerberos password but I am able to ssh using
    local shadow password.

I draw the following conclusions from these -
    1. Newly compiled ssh is working fine as normal ssh logins work.
    2. But, it has not been properly kerberized as kerberos logins fail.
        That is just why I thought that the warning messages I received
        during configure are the cause for this mal-behaviour, but you
        say it is normal.

Now I have the following questions -

1. Is forwarding of Kerberos Credentials for a Win2k KDC not possible
    with an "rpm" install of openssh and I must compile openssh with gss-api
patch
    in order to support forwarding ?

2. If I must compile, then what is wrong with my compilation as it doesn't
work for kerberos ?

3. I think I am using SSH 2 as the "SSH Secure Shell" client prompts me if I
am
    using SSH1 which is true in case of one of our old solaris server.
    Do you mean that by using "rpm" install of openssh, I will be using SSH1
    and I need to compile openssh with gss-api patch inorder to use SSH2?

Thanks in advance.

Regards,
Parag Godkar