SSH windows 2003 AD: TGS vs TGT

abc satyavadali at gmail.com
Sun Jul 31 20:01:01 EDT 2005


We are exploring possibilities for integrating Windows AD / Unix hosts.

My two weeks old boot camp setup:

KDC: Windows 2003 AD
SSH: HP-UX SSH 4.x (openssh 4.x)
SSH Clients: Putty / F-secure ( which is not working at this time under
GSSAPI)


I got my setup working, however wondering which option to pick for my
environment.

Option 1:

In this option we create Keytab file from Windows 2003 AD server with
repective host principal and copy it to SSH server.
We update SSHD config file for GSSAP and KRB client files.

This welcomes everyone who has TGS for my host and valid PASSWD file
entry.

Option 2:

In this option we update KRB Client files (krb5.conf) and enable
Kerberos authentication for SSHD Config file or through PAM.

In this method, there is no Keytab file involved. User will enter his
credentials and if its ok, he/she get TGT and access to system.



Now, Which option is right, when you look at following.


1. User accounts lockups. (At KDC or UNIX Level)

2. Can i restrict user even if he/she has right TGS
(AllowGroups/DenyGroups based on auth type)

3. Can i restrict user even if he/she has right TGT/PASSWD
(AllowGroups/DenyGroups based on auth type)

4. Keytab file update when ever password changed.

5. Which option is right for the future.

6. Which option is right for VPN Users.

7. Do I need to update SSH Client Software (putty/??)

8. Most accepted and implemented.

9. Security patchs for SSH Server / SSH Client in future. (KDC: MS will
take care !)

10. Which option is nice while you are in transition.

11. Just have both options?

12. Any other way one can implement this

13. Which option Managers like

14. Which option Clients/Users like (and Sys. Admins, Guess should be
with users).

any pointers in right direction are welcome.

regards
satya



More information about the Kerberos mailing list