openssh + kerberos + windows ad

Marcello Mezzanotti marcello.mezzanotti at gmail.com
Mon Jan 4 12:18:18 EST 2010


Hans,

Thaks for your help,  my sshd_config options match yours, sshd_config
doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.

I continue to receive the "we sent a gssapi-with-mic packet, wait for
reply" DEBUG message and the ssh tries password auth.

i saw something related to krb5.keytab, do you know something about this file?

thank you,
marcello



On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans at woefdram.nl> wrote:
> Hi Marcello,
>
> A while ago I created the same construction that you want: ssh to a Linux
> machine and login automatically with Kerberos. My KDC also is a Windows 2003
> box with UNIX Services installed. It's been a while, and I don't remember a
> lot of details. I remember it did take quit a bit of work though :)
>
> In the logs you sent, I can't really find anything, but it "feels" like an
> incomplete SSH daemon configuration.
>
> In my sshd-config there are also these lines:
>
> PasswordAuthentication no
> KerberosAuthentication yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> On my client machine, I configured /etc/ssh/ssh_config with:
>
> GSSAPIKeyExchange yes
> GSSAPITrustDNS yes
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> I hope this will help you a bit. If not, please post the configuration of
> both the ssh-server and the ssh-client and I'll have a closer look.
>
> Kind regards,
>
> Hans
>
>


-- 
Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD



More information about the Kerberos mailing list