Kerberos tickets, SSH public key auth, AFS tokens

Douglas E. Engert deengert at anl.gov
Mon Dec 21 09:50:41 EST 2009 


Jeff Blaine wrote:
> Thanks Doug
> 
>> The which PuTTY has GSSAPI:
>>
>> Quest has one that uses SSPI. http://rc.quest.com/topics/putty/
> 
> Hmm, I can't see to get this to work at all (ignoring CVS).
> 
> I have KfW creds for jblaine, afs, and krbtgt on this Windows
> box.

As I said, The Quest version uses SSPI and the Microsoft ticket cache
so works well if you are a domain user and logged in (or use runas)
to get tickets from AD.

Chris suggested trying: http://matthew.loar.name/software/putty/
I have not tried it, but it sounds like it will work well with
KfW. Sounds like this version may also have GSSAPI key exchange support.

> 
> I have a QuestPuTTY session named faron.foo.org
>      GSSAPI is enabled for this session
>      GSSAPI Credential Delegation is enabled for this session
> 
> Opening the session shows:
> 
>      Using username "jblaine".
>      Using GSSAPI service principal name "host/faron.foo.org".
>      jblaine at faron.foo.org's password:
> 
> The sshd debug output:
> 
> Server listening on :: port 9000.
> debug1: Server will not fork when running in debugging mode.
> Connection from xx.xx.0.146 port 3423
> debug1: Client protocol version 2.0; client software version 
> PuTTY_Release_0.60_q1.129
> debug1: no match: PuTTY_Release_0.60_q1.129
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-Sun_SSH_1.1.3
> ...
> debug2: GSS-API Mechanism encoded as toWM5Slw5Ew8Mqkay+al2g==
> ...
> debug2: kex_parse_kexinit: 
> gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> ...
> debug1: userauth-request for user jblaine service ssh-connection method 
> gssapi-with-mic
> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
> debug2: input_userauth_request: try method gssapi-with-mic
> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } 
> (supported)

The client may have found it did not have tickets in the Microsoft ticket cache,
and thus failed.


> debug1: userauth-request for user jblaine service ssh-connection method none
> debug1: attempt 2 initial attempt 0 failures 1 initial failures 0
> debug2: Unrecognized authentication method name: none
> Failed none for jblaine from xx.xx.0.146 port 3423 ssh2
> debug1: userauth-request for user jblaine service ssh-connection method 
> password
> debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
> debug2: input_userauth_request: try method password
> debug2: Starting PAM service sshd-password for method password
> Accepted password for jblaine from xx.xx.0.146 port 3423 ssh2
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list