Solaris 10 ssh logins + w2k3 AD native mode

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu Mar 16 13:35:29 EST 2006 

Barry Allard wrote:
>  Hi Wyllys,
>
>  Primary goal: Kerberize ssh keyboard interactive logins in
>  enterprise-administration-friendly way.


The ability to use Kerberos tickets to authenticate with
SSH is already documented and explained in several places.
Look at docs.sun.com under Security Administration (or search for
SEAM, Kerberos).  Also do a 'man sshd_config'  - you should
see that the GSSAPIAuthentication and GSSAPIKeyExchange
values are "yes" by default.


What is your definition of "enterprise-administration-friendly" ?


>
>  Secondary objective #A: manage user authorization (who can login)
>  through Active Directory instead of locally (hacking a bunch of text
>  files for each new user). create home directory, etc.


This is a whole different problem.    Today, you can manage your
users with AD, but you still need to have some way for the
Unix system (Solaris or Linux) to map from the AD user attributes
to something recognizable on the *nix platform - uid, gid, and home
directory being the most important attributes needed to establish
a Unix login session.  Typically, Unix admins set up user databases
with NIS or LDAP containing all of the users that they want to allow to
access the Unix systems.  Kerberos auth can still be done
against the AD server, but the AD principals must map to
Unix usernames that the local system can then lookup once
the authentication is completed to do authorization.

Basically - you cannot have an empty /etc/password and shadow
database (without NIS or LDAP) and expect that everything will
"just work".  You have to provide some method for the Unix
system to get the user attributes it needs to establish a session.  

Microsoft offers their "services for Unix" feature that might
help if you are trying to get everything from AD, but I've not
used that myself.

There are also ways to configure the LDAP on the *nix side to get
the information from AD.   Look for an LDAP expert explain the details 
of that
process, I haven't done it myself.



>
>  Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
>  automagically login by Active Directory's kerb ticket (not hostkeys).
>  I have seen it working using Centrify ($) PAM mod on the Linux, and
>  no mods to windows box.


Does putty support GSSAPI authentication for SSH and can it
get the users credentials from Active Directory? If so, it should "just 
work"
with the stock Solaris 10 sshd or the  OpenSSH server with the GSSAPI 
patches
applied.

If you have to have a special PAM module on the server side, then you
aren't really doing Kerberos single-sign on authentication and you most 
likely
have to reenter your name/password when you try to login to the
other system.   You could do that much with standard pam_krb5
on Solaris or Linux.   I'm not familiar with the Centrify product.

-Wyllys

More information about the Kerberos mailing list