Kerberized authentication with SecureCRT 4.1.8
Sam Hartman
hartmans at MIT.EDU
Fri Oct 1 13:46:06 EDT 2004
>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
Douglas> rachel elizabeth dillon wrote:
>> I have an existing MIT Kerberos realm with Kerberized SSH
>> logins over GSSAPI using method external-keyx. I want to be
>> able to connect to this realm from a Windows machine. The owner
>> of the realm has a SecureCRT license, so I started there. With
>> MIT KfW 2.6.5 installed on the machine (which is running
>> Windows 2003), I am able to make a connection which gets me a
>> host ticket and the pre-login banner but then fails with an
>> error of "GSSAPI authentication with the server could not be
>> completed." Running an sshd -d -d -d on the server machine, I
>> see that it tries to connect first with method "none," which
>> tries to use PAM and fails (PAM is not configured on this
>> server past the defaults), and then tries to use method
>> "gssapi," which fails as follows:
>>
Douglas> It should work, I have used SecureCRT-4.1.3 with KfW to
Douglas> OpenSSH sshd versions 3.1, through 3.9. Note that the
Douglas> gssapi code was changed to gssapi-with-mic as there was a
Douglas> security problem. SecureCRT should work with either.
I believe Rachel is running into a bug in my Debian packages. I think
I understand what's going on. I managed to misapply part of Simon's
3.6 patches such that the Debian server cannot deal with a
properly-encoded OID.
More information about the Kerberos
mailing list