Noting that MobaXterm supports GSSAPI https://www.mobatek.net/ In the Settings/SSH you have a choice of SSH Library : Native Windows MIT Kerberos Custom Library
On Fri, 31 May 2019 at 17:25, Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On pe, 31 touko 2019, Sumit Bose via FreeIPA-users wrote: > >On Fri, May 31, 2019 at 11:42:43AM -0300, Juan Pablo via FreeIPA-users > wrote: > >> Hi, first of all: GSSAPI is not imported on openssh for windows > >> unfortunately. So you need to mandatory use putty to have GSSAPI > kerberos > >> passwordless from windows to linux domain. > > > >Thanks, good to know. Is there a reference for this or do you know from > >your own experiments? > There is an experimental build with GSSAPI/SSPI support: > https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi > > > >> second, from which system on the windows side are you trying to login? > can > >> you see if it works from the Active Directory server itself, please? > IIRC, > >> you will have to allow the host/pc to delegate kerberos credentials (on > >> windows side). AD domain servers have kerberos ticket delegation > enabled by > >> default, regular pc/hosts dont. maybe this is the case... > > > >You are right that delegation is not enabled by default but for just > >logging in this is not needed. For the login the client requests a > >service ticket and only this service ticket is send to the server for > >authentication. With delegation the Kerberos TGT (the ticket you get > >with kinit) is forwarded to the server as well so that it can be used on > >the remote host to authenticate against other services as well. > > > >bye, > >Sumit > > > >> > >> regards, > >> JP > >> > >> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (< > >> freeipa-users@lists.fedorahosted.org>) escribió: > >> > >> > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users > wrote: > >> > > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote: > >> > > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via > FreeIPA-users > >> > wrote: > >> > > >> On 23/05/2019 14:56, Rob Crittenden wrote: > >> > > >>> lejeczek via FreeIPA-users wrote: > >> > > >>>> hi guys, > >> > > >>>> > >> > > >>>> reading official guide one may assume - I do - that "Using SSH > >> > Without > >> > > >>>> Passwords" should work out-of-box (centos 7.6) - is such > assumption > >> > valid? > >> > > >>>> > >> > > >>>> For me this does not work - ssh still asks for passwords. > >> > > >>>> > >> > > >>>> If this is due to some failure/problem, then where to look and > how > >> > to > >> > > >>>> troubleshoot? > >> > > >>> It's hard to know what you're doing, ssh from where to where, > using > >> > what? > >> > > >>> > >> > > >>> rob > >> > > >> I made an assumption - which I see now was invalid - that some > experts > >> > > >> may know mentioned guide by heart and if I quoted something then > the > >> > > >> rest will be obvious - wrong, sorry. > >> > > >> > >> > > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from > Active > >> > > >> Directory Machines for IdM Resources" which is about Kerberos I > >> > understand. > >> > > >> > >> > > >> My hope was to have AD's clients be able to ssh(and maybe get to > other > >> > > >> things like Samba) without password and with Kerberos. > >> > > >> > >> > > >> I see IPA's users can do that between IPA's servers > >> > > >> > >> > > >> ... > >> > > >> > >> > > >> debug1: PAM: initializing for "tester1" > >> > > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private" > >> > > >> debug1: PAM: setting PAM_TTY to "ssh" > >> > > >> debug1: userauth-request for user tester1 service ssh-connection > >> > method > >> > > >> gssapi-with-mic [preauth] > >> > > >> debug1: attempt 1 failures 0 [preauth] > >> > > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 > ssh2 > >> > > >> [preauth] > >> > > >> debug1: Got no client credentials > >> > > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file > >> > > >> /home/tester1/.k5login > >> > > >> Authorized to tester1, krb5 principal tester1@private > >> > > >> (ssh_gssapi_krb5_cmdok) > >> > > >> debug1: do_pam_account: called > >> > > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 > ssh2 > >> > > >> ... > >> > > >> > >> > > >> But a Win10Pro which is AD member which I'm trying, when ssh as > AD's > >> > > >> user then I do not see above in the logs and such ssh(Win10 own > >> > feature) > >> > > >> is asked for password. > >> > > >> > >> > > >> To sum up: AD's users off/from Win AD win-stations to IPA's > >> > > >> members/clients with Kerberos if possible. (trust is already > >> > established > >> > > >> and running) > >> > > > Hi, > >> > > > > >> > > > having a trust is the first requirement. Second is a ssh client > on the > >> > > > Windows side which can do GSSAPI authentication (recent version of > >> > putty > >> > > > can) and has GSSAPI authentication enabled (iirc this is not the > >> > default > >> > > > for putty, so you have to switch it on manually). Next is that > you have > >> > > > to use the fully-qualified DNS name of the IPA client you want to > login > >> > > > to. If all this is set and authentication still falls back to ask > for a > >> > > > password plase check with the klist command on the Windows client > in > >> > > > command.exe or the Powershell if you already got a service ticket > for > >> > > > the IPA client. If this is missing please check if there is a > >> > > > cross-realm ticket, it has a principal starting with 'krbtgt/' > followed > >> > > > by the IPA realm, an '@' sign and the AD realm. If this is > missing as > >> > > > well the issue is on the AD side and the client either does not > try > >> > > > GSSAPI at all or it does not get a cross-realm ticket from the > local > >> > DC. > >> > > > > >> > > > HTH > >> > > > > >> > > > bye, > >> > > > Sumit > >> > > > >> > > I do not see tickets to IPA's domain - when I'm logged into a > Win10Pro > >> > > (a member of win2016 AD domain). > >> > > > >> > > >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere > >> > > there I see a mention of IPA domain. > >> > > > >> > > That is after a one-way trust was established from IPA's side, > >> > > successfully. DNS seems to work, users seem to work. > >> > > > >> > > My setup IPA is subdomain of AD. > >> > > > >> > > Win10Pro is 1903 with openssh-client installed as/from optional > feature. > >> > > I think it does support gssapi. > >> > > >> > I haven't tried this ssh client so far. But typically > >> > GSSAPIAuthentication is not enalbed by default for openssh clients. > Have > >> > you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen > >> > something GSSAPI related in the debug output? > >> > > >> > > > >> > > After a trust is established - do we need to create groups & > mappings > >> > > for AD users for ssh/samba to work? Guide docs I saw I understand > then > >> > > these are only required when one needs HBAC, correct? > >> > > >> > Yes. > >> > > >> > > > >> > > How to start troubleshooting? > >> > > > >> > > many thanks, L. > >> > > > >> > > >> many thanks, L. > >> > > >> > >> > > >> > >> > > >> > >> > > >> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > >> > > >> 93059F241EEEE1D0769A85F455918ABF21224EBA > >> > > >> uid lejeczek <pelj...@yahoo.co.uk> > >> > > >> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > >> > > >> _______________________________________________ > >> > > >> FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > >> > > >> To unsubscribe send an email to > >> > freeipa-users-le...@lists.fedorahosted.org > >> > > >> Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > >> > > >> List Guidelines: > >> > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > > >> List Archives: > >> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > > > _______________________________________________ > >> > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > >> > > > To unsubscribe send an email to > >> > freeipa-users-le...@lists.fedorahosted.org > >> > > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > >> > > > List Guidelines: > >> > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > > > List Archives: > >> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > > > >> > > > >> > > >> > > pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > >> > > 93059F241EEEE1D0769A85F455918ABF21224EBA > >> > > uid lejeczek <pelj...@yahoo.co.uk> > >> > > sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > >> > > >> > > _______________________________________________ > >> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> > > To unsubscribe send an email to > >> > freeipa-users-le...@lists.fedorahosted.org > >> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > > List Archives: > >> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > _______________________________________________ > >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > List Archives: > >> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > > > > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >_______________________________________________ > >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org