kerberos auth for ssh2
Kevin Kalupson
kjk137 at kevinkal.com
Fri Aug 5 14:03:12 EDT 2005
I appreciate the response. My config files do indead match up with what
you not as required.
after 'kinit -f username' and an attempt to 'ssh username at server.name' I
recieve this debug info
-----------------------------snip------------------------------------
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string OpenSSH_3.8.1p1
debug3: Trying to reverse map address .
debug1: Miscellaneous failure
Server not found in Kerberos database
debug1: Miscellaneous failure
Server not found in Kerberos database
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
-----------------------------snip------------------------------------
This is what makes me think that the kdc somehow needs to know something
about the server I am trying to connect with.
Simon Wilkinson wrote:
>Kevin J Kalupson wrote:
>
>
>>1)My main goal is to implement kerberos authentication for ssh via
>>gssapi-with-mic. I have found a lot web sites where people claim to
>>have it working, but I have not experienced success yet.
>>To your knowledge, should this method now work with up to date
>>installations of openssh and kerberos and using ssh2?
>>
>>
>
>gssapi-with-mic has been supported in OpenSSH since November 2003. It
>definitely works with an up to date installation. In the vanilla OpenSSH
>release, it is disabled by default. You will need 'GssapiAuthentication
>yes' in both client and server configuration files, and
>'GssapiDelegateCredentials yes' on the client.
>
>
>
>>2)I am using PAM auth modules. Currently, users can log in using their
>>kerberos password. If I am using PAM, do I need "extra" configuration
>>so that pam will ok the user that passes a gssapi-with-mic ticket is
>>authenticated, or does ssh forgo PAM when configured for gssapi-with-mic
>>tickets as well.
>>
>>
>
>You shouldn't need 'extra' configuration. When a user authentications
>through gssapi-with-mic, the PAM account and session stacks will be run.
>This allows authorization checks, and the acquiry of additional credentials.
>
>
>
>>3)Are there other options besides gssapi-with-mic for ssh2 login with a
>>kerberos based ticket?
>>
>>
>
>Clients and servers produced by ssh.com support an authentication
>mechanism called 'kerberos2 at ssh.com'. This isn't widely used.
>
>
>
>>4)Does the kdc have to have special knowledge of the server that is
>>requesting authentication for a user via a forwarded ticket or does the
>>server making the request for this sort of auth simply just need to know
>>how to ask?
>>
>>
>
>The host/ server principal and the user's principal both need to have
>the allow_forwardable flag set. The user's credentials need to have been
>obtained as forwardable credentials (for example, through kinit -f). You
>need to have credential forwarding turned on by having
>'GSSAPIDelegateCredentials yes' in your ssh client's configuration file.
>
>Cheers,
>
>Simon.
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3256 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050805/91211f26/attachment.bin
More information about the krbdev
mailing list