openssh + kerberos + windows ad

Marcello Mezzanotti marcello.mezzanotti at gmail.com
Wed Jan 6 13:27:04 EST 2010


Bob,

On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen <ras at anzio.com> wrote:
> On Wed, 6 Jan 2010, Marcello Mezzanotti wrote:
>
>> Bob,
>>
>> What exactly you want to know? :)
>
> 1) What version(s) of PuTTY work in your environment? Did you try the
> developer's build from the official PuTTY site?

http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip

i tested another clients that worked too, but this is the only one
that i got tickets (klist on linux). i didnt have time to test other
krb5.conf options.

> 2) Did you have to create a keytab file on the AD server, and transfer it
> to the SSH server? How exactly did you do this?

i created the keytab file directly on linux, using net command.
after the linux joined th AD (net ads join) i typed "net ads keytab
create" and voi-la

> 3) Did you find online documents that were especially helpful? What were
> they?
>

no one especially, i find documents for specific functions like:

- join linux on windows domains (winbind, kerberos and ldap)
- smartcard linux logon (opensc, pam_pkcs11) - not related

i did a mix of solutions:

- basically i have my users on AD (w2k3 r2 server with Management for Unix)
- configured winbind to join windows domains
- configured ldap to nsswitch.conf and pam
- configured krb5 to pam

and then configured ssh+krb5 to SSO (the putty stuff)

-- 
Marcello Mezzanotti <marcello.mezzanotti at gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD



More information about the Kerberos mailing list