Forwarding Kerberos Credentials - SSH

Parag Godkar paragg at konark.ncst.ernet.in
Mon Jun 23 00:27:04 EDT 2003 

Hi,

Many Thanks to all that replied. It helped me work
in the right direction.

However, I am still confused whether what I am trying
achieve is really possible. I am going to divide my mail
into two parts -

PART I -
------------
In PART I, I want to state a few things that were not clear 
in my previous postings and as some of you wanted more info. 

PART II -
-------------
In PART II, I have tried to check most of the things 
that others have adviced. 

So PART I -
---------------
This is what I am trying to achieve (I am repeating a
few things stated in my previous mail so that the idea remains clear.
Please advice me if I am trying to do something impossible
or where I am going wrong) - 

1. We have a few Red Hat linux servers in a kerberos domain.
   The Windows 2000 Server acts as the KDC.

2. The telnet server running on the linux servers is the one in 
   /usr/kerberos/sbin/telnetd. The ssh server is the default rpm
   install as stated in my previous mail.

3. There are user accounts WITHOUT PASSWORDS on the linux
   servers. Passwords are stored in the Windows 2000 Server.

4. Each of our users has a windows 2000 professional client. 
   He/She logs in to his/her windows machine. 

5. Then using Putty or SSH Secure Shell from www.ssh.com 
   he/she uses telnet/ssh to connect to one of the linux server
   from the windows 2000 professional client. 

6. They are authenticated against the active directory 
   by "pam_krb5" on the linux server, as there are no passwords
   on the linux server but only accounts in /etc/password. 

7. Now both putty and SSH Secure Shell are not kerberized.
   (If I am not wrong, both the telnet/ssh client and server
    have to be kerberized inorder to get kerberos tickets.)

8. However, I think "pam_krb5" gives them the tickets
   After the user logs in to a linux server using telnet/ssh,
   he/she can check his/her credentials as follows - 

   (a)              klist -5fa 

   which gives the following result -
-----------------------------------------------------------------
Ticket cache: FILE:/tmp/krb5cc_p11807
Default principal: paragg at TEST.NCST.ERNET.IN

Valid starting     Expires            Service principal
06/22/03 10:45:28  06/22/03 20:45:28  

krbtgt/TEST.NCST.ERNET.IN at TEST.NCST.ERNET.IN
        Flags: FPIA
        Addresses: kripa.ncst.ernet.in
-----------------------------------------------------------------

   It can be observed that the flags show that 
   the credentials obtained are forwardable (F).

   (b) Also, Running 
       echo $KRB5CCNAME  gives  FILE:/tmp/krb5cc_p11807

   (c) Running ls -l /tmp/krb5* gives 

-rw-------  1 paragg   spc   1208 Jun 22 10:45 /tmp/krb5cc_p11807

9. Now from this telnet/ssh session, I would like the users to
   telnet/ssh to another linux server (or to the same server) 
   in the same kerberos domain WITHOUT BEING PROMPTED FOR A 
   PASSWORD.

   NOW THIS IS WHAT I WANT TO KNOW IF IT IS 
   PRACTICABLE OR I AM TRYING TO DO SOMETHING
   IMPOSSIBLE?

10.However, the user is prompted for a password and on entering
   the kerberos password, he/she gets another set of credentials
   on that server (or on the same server if he/she opens another 
   telnet/ssh session on the same server).

   (a) Running           klist -5fa   again gives - 

-----------------------------------------------------------------
Ticket cache: FILE:/tmp/krb5cc_p11905
Default principal: paragg at TEST.NCST.ERNET.IN

Valid starting     Expires            Service principal
06/22/03 10:51:30  06/22/03 20:51:30  

krbtgt/TEST.NCST.ERNET.IN at TEST.NCST.ERNET.IN
        Flags: FPIA
        Addresses: kripa.ncst.ernet.in
-----------------------------------------------------------------

   It can be observed that the flags show that 
   the credentials obtained are still forwardable (F) 
   and not forwarded (f).

   (b) Also, Running
       echo $KRB5CCNAME  gives  FILE:/tmp/krb5cc_p11905
  
   (c) Running ls -l /tmp/krb5* gives 

-rw-------  1 paragg   spc   1208 Jun 22 10:45 /tmp/krb5cc_p11807
-rw-------  1 paragg   spc   1208 Jun 22 10:51 /tmp/krb5cc_p11905
       
   It can be observed that it is different cache.

11. So, you see forwarding credentials does not work 
    for telnet/ssh for me.
    I also tried ssh -1 . But that doesn't help either.

12. This is true even if I do "kinit" after telnet/ssh 
    to the linux server from a windows machine. 


Now PART II -
---------------
So I decide compile kerberos 5 support into openssh.

1. I have compiled openssh after applying Simon Wilkinson's 
   gssapi patch on one Red Hat Linux 9 test server -

   openssh-3.6.1p2
   openssh-3.6.1p2-gssapi-20030430.diff

2. I configured with the following options -

   ./configure --with-kerberos5=/usr/kerberos --with-gssapi

   I did not do  --with-pam as the ssh server used to get hanged 
   while connecting.

3. I have the following relevant lines in my sshd_config -

   #RSAAuthentication yes
   #PubkeyAuthentication yes
   #AuthorizedKeysFile     .ssh/authorized_keys
   #PasswordAuthentication yes
   #PermitEmptyPasswords no
   #ChallengeResponseAuthentication yes
   KerberosAuthentication yes
   #KerberosOrLocalPasswd yes
   #KerberosTicketCleanup yes
   GssapiAuthentication yes
   GssapiKeyExchange yes
   GssapiUseSessionCredCache yes
   #AFSTokenPassing no
   #KerberosTgtPassing no
   #PAMAuthenticationViaKbdInt no

   and the following relevant lines in my ssh_config -

   # Host *
   #   ForwardAgent no
   #   ForwardX11 no
   #   PasswordAuthentication yes
   GssapiAuthentication yes
   GSSAPIDelegateCredentials yes

4. I am still not able to forward credentials inorder to login
   without being prompted for a password. I get two different
   credentials for each ssh login as stated in PART I of my mail.

5. So I ssh to the test server as root and decide to debug.
   I start the ssh daemon in debug mode as follows -

   [root at kripa root]# /usr/local/sbin/sshd -p 222 -d -d -d 
                      >/root/sshd_debug 2>&1

   The I connect to it as follows -

   [root at kripa root]# /usr/local/bin/ssh -p 222 -v -v -v -l paragg  
                      kripa >/root/ssh_debug 2>&1

6. I noticed one particular error - 

   debug2: we sent a gssapi packet, wait for reply
   Server GSSAPI Error:
   Miscellaneous failure

7. I am attaching the debug files - "sshd_debug" and "ssh_debug" to
   this mail. 
   I will be happy if someone can throw some light on the errors.

I have seen a post form Simon Wilkinson which states -
There 3 ways to use Kerberos to authenticated to a ssh server -
  1. Enter password at prompt
  2. Use previously gained TGT , over Kerberos support in SSH 1
  3. Use previously gained TGT , over GSSAPI support in SSH 2
So I feel I must stick to SSH 2 and GSSAPI.

Thanks in advance.

Regards,
Parag Godkar
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sshd_debug.txt
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20030623/5d544d81/attachment.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssh_debug.txt
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20030623/5d544d81/attachment-0001.txt

More information about the Kerberos mailing list