openssh + kerberos + windows ad
Marcello Mezzanotti
marcello.mezzanotti at gmail.com
Mon Jan 4 12:40:30 EST 2010
CDC,
Unfortunately i cant use IRC here, as i imagine i dont have any keytab file
os112:~ # klist -kte
Keytab name: WRFILE:/etc/krb5.keytab
klist: No such file or directory while starting keytab scan
how i can generate this file directly on linux?
if i generate this file on windows, can i export it to linux?
btw, im using windows server 2003 r2 enterprise sp2.
thank you,
marcello
On Mon, Jan 4, 2010 at 3:30 PM, Christopher D. Clausen <cclausen at acm.org> wrote:
> Marcello,
>
> Can you show us the output of klist -kte (as root) on the machine running
> sshd? You need to have a proper keytab for ssh to use GSSAPI
> authentication.
>
> Against AD, you can generate a keytab using ktpass.exe. Make sure you are
> using the 2003 SP2 version (or newer) of ktpass as some known problems were
> fixed. http://support.microsoft.com/kb/926027
>
> There are several of us in the #kerberos IRC channel on Freenode if you
> would like some interactive help in getting this to work.
>
> <<CDC
>
> Marcello Mezzanotti <marcello.mezzanotti at gmail.com> wrote:
>>
>> Hans,
>>
>> Thaks for your help, my sshd_config options match yours, sshd_config
>> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
>>
>> I continue to receive the "we sent a gssapi-with-mic packet, wait for
>> reply" DEBUG message and the ssh tries password auth.
>>
>> i saw something related to krb5.keytab, do you know something about
>> this file?
>>
>> thank you,
>> marcello
>>
>>
>>
>> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans at woefdram.nl>
>> wrote:
>>>
>>> Hi Marcello,
>>>
>>> A while ago I created the same construction that you want: ssh to a
>>> Linux machine and login automatically with Kerberos. My KDC also is
>>> a Windows 2003 box with UNIX Services installed. It's been a while,
>>> and I don't remember a lot of details. I remember it did take quit a
>>> bit of work though :)
>>>
>>> In the logs you sent, I can't really find anything, but it "feels"
>>> like an incomplete SSH daemon configuration.
>>>
>>> In my sshd-config there are also these lines:
>>>
>>> PasswordAuthentication no
>>> KerberosAuthentication yes
>>> KerberosOrLocalPasswd no
>>> KerberosTicketCleanup yes
>>> GSSAPIAuthentication yes
>>> GSSAPICleanupCredentials yes
>>>
>>> On my client machine, I configured /etc/ssh/ssh_config with:
>>>
>>> GSSAPIKeyExchange yes
>>> GSSAPITrustDNS yes
>>> GSSAPIAuthentication yes
>>> GSSAPIDelegateCredentials yes
>>>
>>> I hope this will help you a bit. If not, please post the
>>> configuration of both the ssh-server and the ssh-client and I'll
>>> have a closer look.
>>>
>>> Kind regards,
>>>
>>> Hans
>
>
--
Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
More information about the Kerberos
mailing list