Recommnended way to get krb5.keytab files for KfW installations onWindows

Douglas E. Engert deengert at anl.gov
Fri Dec 11 12:06:15 EST 2009



Holger Rauch wrote:
> Rehi,
> 
> replying to my own mail because the reply by Douglas E. Engert
> (thanks for replying, Douglas!) unfortunately didn't make it
> through.
> 
> I try to accesss a central file server running Debian Lenny and
> offering file access via various protcols/services: FTP, SSH/SCP
> (OpenSSH), OpenAFS, CIFS (via Samba daemons) from a Windows XP
> box.
> 
> I know that for SSH access host principals are required for each
> client 

Client? No, that would be each server where the sshd is run.

> and are supposed to be stored in a krb5.keytab file, at least
> that's the case with MIT Kerberos on Linux/Unix.

> 
> Isn't that also the case when using Quest PuTTY (AFAIK the only free
> implementation having GSSAPI support) and WinSCP for SSH access from a
> WinXP client having KfW (MIT Kerberos for Windows) installed?

No, only the unix server with sshd needs the keytab, not the windows clients.
So you only need to use ktpass for one server.

On Windows, you have two APIs for the GSSAPI protocols.
The SSPI is the MS provided version and uses the MS kerberos
and tickets obtained by AD login or the runas command.
The GSSAPI will use the MIT gssapi libs that come with KfW.

As for gssapi/sspi with Putty look in
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
then look at the Subversion. It has SSPI support.

Also http://www.chiark.greenend.org.uk/~sgtatham/putty/links.html
shows 4 gssapi/sspi versions. The sweb.cz patch for PuTTY-0.58
can use both the MS SSPI and the MIT KfW  gssapi libs.

The Quest only uses the SSPI.

I have three: Quest, Putty-svn and sweb patch versions running.




> 
> The main reason why I ask this is that I want to avoid having to use
> ktpass.exe because of it's mapping option(s) - that sort of scares me
> off.
> 
> Any hints are most welcome.
> 
> Thanks & kind regards,
> 
>        Holger
> 
> On Mon, 26 Oct 2009, Holger Rauch wrote:
> 
>> Hi,
>>
>> since the kadmin utility is not included with the current KfW bundle
>> from the MIT Kerberos web site (version 3.2.2), is it "safe" to
>> create krb5.keytab files for KfW using kadmin on a Unix machine and
>> transfer the file to the Windows box?
>>
>> (Yes, I heard about ktpass.exe, but that's kind of awkward to use
>> because of the username/principal mapping stuff that needs to be taken
>> into account. Or is ktpass.exe the recommended utility and the kadmin
>> on Unix+file transfer approach thus discouraged?)
>>
>> I'm using KfW on a current (all updates applied) WinXP Professional
>> system.
>>
>> So, what's the easiest (and recommended) way to get krb5.keytab files
>> that are usable by KfW installations?
>>
>> (I need this for accessing a kerberized Samba server, a kerberized
>> sshd using PuTTY/WinSCP, and a kerberized FTP server; all of these
>> services are running on the same host).
>>
>> Thanks for any hints & kind regards,
>>
>>        Holger
>> *** eSafe scanned this email for malicious content ***
>> *** IMPORTANT: Do not open attachments from unrecognized senders  ***
> 
> 
> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> =========================================
> Holger Rauch
> Entwicklung Anwendungs-Software
> Systemadministration UNIX
> 
> Tel.: +49 / 9131 / 877 - 141
> Fax: +49 / 9131 / 877 - 266
> Email: Holger.Rauch at empic.de
> =========================================
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list