openssh + kerberos + windows ad

Marcello Mezzanotti marcello.mezzanotti at gmail.com
Mon Jan 4 12:56:14 EST 2010


Javier,

Im trying  ticket auth, password auth against AD (KDC) (krb+ldap pam)
is working fine:

mmezzanotti at os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzanotti at VMWARELAB.INT

Valid starting     Expires            Service principal
01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/VMWARELAB.INT at VMWARELAB.INT
        renew until 01/05/10 13:58:36
01/04/10 14:09:23  01/04/10 23:58:37  host/os112.vmwarelab.int at VMWARELAB.INT
        renew until 01/05/10 13:58:36

i got this tickets doing ssh with password auth but now i have tickets
i want to use ssh without password (just tickets)

thank you,
marcello

On Mon, Jan 4, 2010 at 3:41 PM, Javier Palacios <javiplx at gmail.com> wrote:
>> login as: mmezzanotti
>> Using keyboard-interactive authentication.
>> Password:
>> Last login: Wed Dec 30 14:00:19 2009 from localhost
>> Have a lot of fun...
>> mmezzanotti at os112:~> ls
>> bin      Documents  Music     Public       Templates
>> Desktop  Download   Pictures  public_html  Videos
>> mmezzanotti at os112:~> klist
>> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
>> Default principal: mmezzanotti at VMWARELAB.INT
>>
>> Valid starting     Expires            Service principal
>> 01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/VMWARELAB.INT at VMWARELAB.INT
>>        renew until 01/05/10 13:58:36
>
> I'm not sure if you are actually testing ticket authentication, but
> just kerberos password authentication (by far much easier).
> To actually check what you want, I recommend you start working just on
> the linux node, and enter as whichever user. then
> # kinit mmezzanotti
> # ssh mmezzanotti at os112
> If it does ask you for password, then credential authentication is not
> working. And depending if your TGT was proxyable or not, you might
> even end with void output from klist.
>
> Someone answered about the need of a host keytab to achieve this. As
> far as I remember that is not mandatory for linux (or wasn't for a
> debian in 2004), but take into account.
>
>> mmezzanotti at os112:~> ssh -vvv mmezzanotti at os112.vmwarelab.int
>>
>
> Try adding 'debug' to all pam.d lines on kerberos. That will produce a
> much less verbose and hopefully more useful info.
>



-- 
Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD




More information about the Kerberos mailing list