cross realm and shh

aydin aydin at
Fri Apr 15 09:58:36 EDT 2011


I am trying to set up a cross realm auth. between a MS domain (2008)
and MIT Kerberos (Red Hat 5.4)

In the MIT Realm we do have only servers. Kerberos is configured
and working fine. The Realm name is PRO.ORG

MS Realm has servers and clients. It is also woking.
All users are managed by AD in the MS realm.
The name of MS realm is PRO.LOCAL

We are trying to set up a cross realm trust. It is going to be
a one way trust, MIT realm (PRO.ORG) will trust the MS realm. (PRO.LOCAL)

When we boot a windows client (vista) it joins to the ms domain and gets
krbtgt/PRO.LOCAL at PRO.LOCAL ticket as well as ldap/ at PRO.LOCAL ticket.

To estabish the trust relationship, we have entered

krbtgt/PRO.ORG at PRO.LOCAL to both kdc's.
Their passwords are same, they are using the same encryption and their Kvno's are same.

Until here all seems fine.

I am trying to ssh from a windows machine to a Linux host.
As far as I know it should work like this;

ssh will do a dns search for the machine that I want to login
ssh understands that target machine belongs to another realm
ssh will ask to the kdc of its realm krbtgt/PRO.ORG at PRO.LOCAL ticket
ssh gets this ticket and sends it to the kdc of other realm (PRO.ORG)
kdc of PRO.ORG gets this ticket and communicates with kdc of PRO.LOCAL
If they agree that the ticket is valid PRO.ORG 's kdc will send a host/  ticket
ssh then uses this host ticket to establish a connection to the machine and logs in without a password

The problem;

 From the ssh client when I say I want to ssh to a machine it directly goes to
that system. It is kerberized (as far as I understand) but it never asks anything
from its own kdc.

ssh client : Kerberized putty from centrify
ssh client : Power Term
ssh client : Open ssh

are the ones that I have tried.



More information about the Kerberos mailing list