openssh + kerberos + windows ad

Hans van Zijst hans at woefdram.nl
Mon Jan 4 12:01:17 EST 2010 

Hi Marcello,

A while ago I created the same construction that you want: ssh to a 
Linux machine and login automatically with Kerberos. My KDC also is a 
Windows 2003 box with UNIX Services installed. It's been a while, and I 
don't remember a lot of details. I remember it did take quit a bit of 
work though :)

In the logs you sent, I can't really find anything, but it "feels" like 
an incomplete SSH daemon configuration.

In my sshd-config there are also these lines:

PasswordAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

On my client machine, I configured /etc/ssh/ssh_config with:

GSSAPIKeyExchange yes
GSSAPITrustDNS yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

I hope this will help you a bit. If not, please post the configuration 
of both the ssh-server and the ssh-client and I'll have a closer look.

Kind regards,

Hans



Marcello Mezzanotti wrote:
> Hi all,
> 
> im not sure if its the correct list but,
> 
> Im trying to do kind of SSO, basically, i want to ssh a remote linux
> machine, using openssh/putty (what version), without password prompt,
> just with kerberos ticket.
> 
> I have the following scenario:
> 
> Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain
> Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion
> against my DC, its working fine, i can login remotely and localy with
> my AD credentials and its working fine, as you can see bellow:
> 
> login as: mmezzanotti
> Using keyboard-interactive authentication.
> Password:
> Last login: Wed Dec 30 14:00:19 2009 from localhost
> Have a lot of fun...
> mmezzanotti at os112:~> ls
> bin      Documents  Music     Public       Templates
> Desktop  Download   Pictures  public_html  Videos
> mmezzanotti at os112:~> klist
> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
> Default principal: mmezzanotti at VMWARELAB.INT
> 
> Valid starting     Expires            Service principal
> 01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/VMWARELAB.INT at VMWARELAB.INT
>        renew until 01/05/10 13:58:36
> mmezzanotti at os112:~>
> 
> 
> this linux machine in on my AD domain and i have a valid krb ticket.
> 
> im trying to use ssh to connect to this server, but i want to use my
> krb ticket, not type password.
> 
> i have enabled gss api options in my sshd.config.
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> 
> restarted opensshd but it doesnt work:
> 
> mmezzanotti at os112:~> ssh -vvv mmezzanotti at os112.vmwarelab.int
> OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.
> debug1: Connection established.
> debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1
> debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
> debug1: match: OpenSSH_5.2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 130/256
> debug2: bits set: 513/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.
> debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3
> debug2: bits set: 512/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))
> debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug3: start over, passed a different list
> publickey,gssapi-with-mic,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa
> debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa
> debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa
> debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> Received disconnect from 192.168.86.14: 2: Too many authentication
> failures for mmezzanotti
> 
> 
> bellow the lines about gssapi auth:
> 
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug2: we did not send a packet, disable method
> 
> anyone could help me?
> 
> another question, i downloaded a lot of patched putty clients with
> gssapi support (to use on windows machines), what is the correct one?
> 
> thank you,
> Marcello
> 
> --
> Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
> http://blogdomarcello.wordpress.com
> Information Security
> UNIX / Linux / *BSD
>

More information about the Kerberos mailing list