Kerberized authentication with SecureCRT 4.1.8
rachel elizabeth dillon
red at MIT.EDU
Thu Sep 30 14:31:07 EDT 2004
I have an existing MIT Kerberos realm with Kerberized SSH logins over
GSSAPI using method external-keyx. I want to be able to connect to this
realm from a Windows machine. The owner of the realm has a SecureCRT
license, so I started there. With MIT KfW 2.6.5 installed on the machine
(which is running Windows 2003), I am able to make a connection which gets
me a host ticket and the pre-login banner but then fails with an error of
"GSSAPI authentication with the server could not be completed." Running
an sshd -d -d -d on the server machine, I see that it tries to connect
first with method "none," which tries to use PAM and fails (PAM is not
configured on this server past the defaults), and then tries to use method
"gssapi," which fails as follows:
Failed none for ptadmin from 10.1.16.31 port 1733 ssh2
debug1: userauth-request for user ptadmin service ssh-connection method gssapi
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi
debug3: mm_request_send entering: type 28
debug3: monitor_read: checking request 28
debug3: mm_request_send entering: type 29
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 29
debug3: mm_request_receive entering
Failed gssapi for ptadmin from 10.1.16.31 port 1733 ssh2
Received disconnect from 10.1.16.31: 14: Unable to authenticate using any of the configured authentication methods.
A successful request from another Solaris machine with OpenSSH and krb5
support looks like this:
Failed none for ptadmin from 10.1.16.234 port 54138 ssh2
debug1: userauth-request for user ptadmin service ssh-connection method external-keyx
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method external-keyx
debug3: mm_request_send entering: type 26
debug3: mm_request_receive_expect entering: type 27
debug3: mm_request_receive entering
debug3: monitor_read: checking request 26
Authorized to ptadmin, krb5 principal ptadmin at IC.COM (krb5_kuserok)
debug3: mm_answer_gss_userok: sending result 1
debug3: mm_request_send entering: type 27
debug2: pam_acct_mgmt() = 0
debug3: mm_ssh_gssapi_userok: user authenticated
Accepted external-keyx for ptadmin from 10.1.16.234 port 54138 ssh2
debug3: mm_send_keystate: Sending new keys: 7b3c0 81910
debug3: mm_newkeys_to_blob: converting 7b3c0
debug3: mm_newkeys_to_blob: converting 81910
debug3: mm_send_keystate: New keys have been sent
debug3: mm_send_keystate: Sending compression state
debug3: mm_request_send entering: type 38
debug3: mm_send_keystate: Finished sending state
debug1: PAM establishing creds
Accepted gssapi for ptadmin from 10.1.16.234 port 54138 ssh2
It looks to me like I either want SecureCRT to connect via "external-keyx,"
or I want to convince the sshd to parse "gssapi" in a different way.
I would also be interested in solutions that involve another SSH client for
Windows, if that client were free.
Thanks for any help you can provide,
-r.
More information about the Kerberos
mailing list