openssh + kerberos + windows ad

Douglas E. Engert deengert at anl.gov
Wed Jan 6 10:52:56 EST 2010 


Marcello Mezzanotti wrote:
> I just did :)
> 
> the problem was the keytab, i created using linux command "net ads
> keytab create",
> 
> i tested both linux ssh client and putty
> (PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
> client, worked, but it didnt created/forwared my ticket) and all
> worked fine.

Did you get forwardable tickets using the kinit -f option?

> 
> Is "Kerberos for Windows" necessary for Windows/Putty?


There are several versions of PuTTY that support the GSS protocol.

But on Windows, there are two APIs that can be used, the GSS-API
provided by the KfW and the Microsoft SSPI built into Windows.
Each of these uses its own ticket cache.

Most version of PuTTY will use the SSPI and thus expect the user to
have logged into a windows domain which gets tickets during the login.
These tickets are stored in the Microsoft LSA. (runas.exe can also be used
to get tickets and run a program with a different LSA.)

Versions of PuTTY that use the KfW provided gssapi32.dll can be used
on Windows machines that are not part of a Windows domain, or where the
KDC is not a Windows domain controller, i.e. an MIT or Heimdal KDC.

The official PuTTY site in their SVN, uses SSPI. (Bob Ramussen says they
may have an unofficial release now.)

The Quest, version also use SSPI.

I believe the Certify version uses SSPI but have not tried it.

The KfW developers, secure-endpoints.com, have a PuTTY that uses gssapi32.dll.
I have not tried this one either.

The http://v_t_m.sweb.cz/ version (which you have found) can use either SSPI
or gssapi32.dll, as it will test if tickets are available in the MSLSA or
via KfW. (I wrote that mod.) But its for PuTTY 0.58 and does not have
GSSAPIKeyExchange.


One other issue with multiple PuTTY versions on a single windows machine
is they all save the Sessions in the same registry location:
HKCU\Software\SimonTatham\PuTTY\Sessions, but they use different keys for
the GSS flags:
    v_t_m.sweb-cz:  AuthGSSAPI, GSSAPIFwdTGT
    PuTTY(svn):     AuthGSSAPI, gssapiFwd
    Quest:          AuthSSPI,   SSPIFwdTGT, TryGSSKEX
    Certify: (Don't know)

So if you try multiple clients, use different session names for each
as some versions will fail if there are unknown key is the Session.

This whole situation is unfortunate in that the open source community
had gotten way ahead of the PuTTY developers (4 years at least)
and the PuTTY developers are just stating to catch up.

So your choice of which PuTTY windows client you use depends mostly on how
you obtain your tickets.

KfW can import tickets from the Microsoft LSA that can help in some situations.

> 
> Thank you all for help.
> 
> Thank you,
> Marcello
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list