openssh + kerberos + windows ad

Sylvain Cortes s.cortes at cerberis.com
Mon Jan 4 11:35:55 EST 2010 

 
Hi,

I know that Centrify provides a kerberised verion of Putty for free: http://www.centrify.com/resources/putty.asp (just create a account, and download it)
And this version is fully "compliant" with AD.
This is perhaps a good first step for you.

Regards

Sylvain


 
     
Sylvain Cortes
Partnership manager
 
Messagerie : mailto:s.cortes at cerberis.com
Blog : www.identitycosmos.com
30 cours libération
Grenoble
 38100
 
Tél : +33 4 76 21 17 03
Fax : +33 4 76 84 68 10 
 http://www.cerberis.com
 

--------------------------------------------------------------------------
www.identitycosmos.com
 
http://www.identitycosmos.com/
http://www.identitycosmos.com/
--------------------------------------------------------------------------
 -----Message d'origine-----
De : kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] De la part de Marcello Mezzanotti
Envoyé : lundi 4 janvier 2010 17:17
À : kerberos at mit.edu
Objet : openssh + kerberos + windows ad

Hi all,

im not sure if its the correct list but,

Im trying to do kind of SSO, basically, i want to ssh a remote linux
machine, using openssh/putty (what version), without password prompt,
just with kerberos ticket.

I have the following scenario:

Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain
Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion
against my DC, its working fine, i can login remotely and localy with
my AD credentials and its working fine, as you can see bellow:

login as: mmezzanotti
Using keyboard-interactive authentication.
Password:
Last login: Wed Dec 30 14:00:19 2009 from localhost
Have a lot of fun...
mmezzanotti at os112:~> ls
bin      Documents  Music     Public       Templates
Desktop  Download   Pictures  public_html  Videos
mmezzanotti at os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzanotti at VMWARELAB.INT

Valid starting     Expires            Service principal
01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/VMWARELAB.INT at VMWARELAB.INT
       renew until 01/05/10 13:58:36
mmezzanotti at os112:~>


this linux machine in on my AD domain and i have a valid krb ticket.

im trying to use ssh to connect to this server, but i want to use my
krb ticket, not type password.

i have enabled gss api options in my sshd.config.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


restarted opensshd but it doesnt work:

mmezzanotti at os112:~> ssh -vvv mmezzanotti at os112.vmwarelab.int
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.
debug1: Connection established.
debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1
debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 513/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.
debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3
debug2: bits set: 512/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))
debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa
debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
Received disconnect from 192.168.86.14: 2: Too many authentication
failures for mmezzanotti


bellow the lines about gssapi auth:

debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method

anyone could help me?

another question, i downloaded a lot of patched putty clients with
gssapi support (to use on windows machines), what is the correct one?

thank you,
Marcello

--
Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

 
 
Ce message contient des informations confidentielles destinées uniquement à kerberos at mit.edu, marcello.mezzanotti at gmail.com. Si vous n'êtes pas kerberos at mit.edu, marcello.mezzanotti at gmail.com, vous ne devez pas diffuser, distribuer ni copier ce message électronique. Si vous avez reçu ce message électronique par erreur, veuillez en notifier immédiatement s.cortes at cerberis.com par messagerie électronique et supprimer le message de votre système. Il n’est pas possible de garantir que les communications par messagerie électronique se feront de manière totalement sécurisée et exempte d’erreur en raison des possibilités d’interception, de corruption, de perte, de destruction, de réception tardive ou incomplète ou de la présence de virus. De ce fait,  décline toute responsabilité en cas d’erreur ou d’omission dans le contenu de ce message en raison de sa transmission par messagerie électronique. Si une vérification s’avère nécessaire, veuillez demander une copie imprimée.

More information about the Kerberos mailing list