openssh + kerberos + windows ad
Hans van Zijst
hans at woefdram.nl
Tue Jan 5 05:00:09 EST 2010
Hi Marcello,
Ah, you didn't have a keytab. I assumed you did :)
I used Windows to create the key and added it to /etc/krb5.keytab with
ktutil. Perhaps these entries in /etc/krb5.conf make a difference. In
your case, YaST has probably taken care of this file, but this is what I
have put into it (apart from the other stuff like realm name and so):
[libdefaults]
forwardable = true
proxiable = true
[appdefaults]
forwardable = yes
validate = true
Kind regards,
Hans
Marcello Mezzanotti wrote:
> Hans,
>
> Thaks for your help, my sshd_config options match yours, sshd_config
> doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
>
> I continue to receive the "we sent a gssapi-with-mic packet, wait for
> reply" DEBUG message and the ssh tries password auth.
>
> i saw something related to krb5.keytab, do you know something about this file?
>
> thank you,
> marcello
>
>
>
> On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans at woefdram.nl> wrote:
>> Hi Marcello,
>>
>> A while ago I created the same construction that you want: ssh to a Linux
>> machine and login automatically with Kerberos. My KDC also is a Windows 2003
>> box with UNIX Services installed. It's been a while, and I don't remember a
>> lot of details. I remember it did take quit a bit of work though :)
>>
>> In the logs you sent, I can't really find anything, but it "feels" like an
>> incomplete SSH daemon configuration.
>>
>> In my sshd-config there are also these lines:
>>
>> PasswordAuthentication no
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd no
>> KerberosTicketCleanup yes
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> On my client machine, I configured /etc/ssh/ssh_config with:
>>
>> GSSAPIKeyExchange yes
>> GSSAPITrustDNS yes
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> I hope this will help you a bit. If not, please post the configuration of
>> both the ssh-server and the ssh-client and I'll have a closer look.
>>
>> Kind regards,
>>
>> Hans
>>
>>
>
>
More information about the Kerberos
mailing list