openssh + kerberos + windows ad
Christopher D. Clausen
cclausen at acm.org
Mon Jan 4 12:30:34 EST 2010
Marcello,
Can you show us the output of klist -kte (as root) on the machine
running sshd? You need to have a proper keytab for ssh to use GSSAPI
authentication.
Against AD, you can generate a keytab using ktpass.exe. Make sure you
are using the 2003 SP2 version (or newer) of ktpass as some known
problems were fixed. http://support.microsoft.com/kb/926027
There are several of us in the #kerberos IRC channel on Freenode if you
would like some interactive help in getting this to work.
<<CDC
Marcello Mezzanotti <marcello.mezzanotti at gmail.com> wrote:
> Hans,
>
> Thaks for your help, my sshd_config options match yours, sshd_config
> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
>
> I continue to receive the "we sent a gssapi-with-mic packet, wait for
> reply" DEBUG message and the ssh tries password auth.
>
> i saw something related to krb5.keytab, do you know something about
> this file?
>
> thank you,
> marcello
>
>
>
> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans at woefdram.nl>
> wrote:
>> Hi Marcello,
>>
>> A while ago I created the same construction that you want: ssh to a
>> Linux machine and login automatically with Kerberos. My KDC also is
>> a Windows 2003 box with UNIX Services installed. It's been a while,
>> and I don't remember a lot of details. I remember it did take quit a
>> bit of work though :)
>>
>> In the logs you sent, I can't really find anything, but it "feels"
>> like an incomplete SSH daemon configuration.
>>
>> In my sshd-config there are also these lines:
>>
>> PasswordAuthentication no
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd no
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> On my client machine, I configured /etc/ssh/ssh_config with:
>>
>> GSSAPIKeyExchange yes
>> GSSAPITrustDNS yes
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> I hope this will help you a bit. If not, please post the
>> configuration of both the ssh-server and the ssh-client and I'll
>> have a closer look.
>>
>> Kind regards,
>>
>> Hans
More information about the Kerberos
mailing list