RE: openssh + kerberos + windows ad

Mon, 04 Jan 2010 08:33:11 -0800 

 
Hi,

I know that Centrify provides a kerberised verion of Putty for free: 
http://www.centrify.com/resources/putty.asp (just create a account, and 
download it)
And this version is fully "compliant" with AD.
This is perhaps a good first step for you.

Regards

Sylvain


 
     
Sylvain Cortes
Partnership manager
 
Messagerie : mailto:s.cor...@cerberis.com
Blog : www.identitycosmos.com
30 cours libération
Grenoble
 38100
 
Tél : +33 4 76 21 17 03
Fax : +33 4 76 84 68 10 
 http://www.cerberis.com
 

--------------------------------------------------------------------------
www.identitycosmos.com
 
http://www.identitycosmos.com/
http://www.identitycosmos.com/
--------------------------------------------------------------------------
 -----Message d'origine-----
De : kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] De la part de 
Marcello Mezzanotti
Envoyé : lundi 4 janvier 2010 17:17
À : kerberos@mit.edu
Objet : openssh + kerberos + windows ad

Hi all,

im not sure if its the correct list but,

Im trying to do kind of SSO, basically, i want to ssh a remote linux
machine, using openssh/putty (what version), without password prompt,
just with kerberos ticket.

I have the following scenario:

Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain
Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion
against my DC, its working fine, i can login remotely and localy with
my AD credentials and its working fine, as you can see bellow:

login as: mmezzanotti
Using keyboard-interactive authentication.
Password:
Last login: Wed Dec 30 14:00:19 2009 from localhost
Have a lot of fun...
mmezzano...@os112:~> ls
bin      Documents  Music     Public       Templates
Desktop  Download   Pictures  public_html  Videos
mmezzano...@os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzano...@vmwarelab.int

Valid starting     Expires            Service principal
01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/vmwarelab....@vmwarelab.int
       renew until 01/05/10 13:58:36
mmezzano...@os112:~>


this linux machine in on my AD domain and i have a valid krb ticket.

im trying to use ssh to connect to this server, but i want to use my
krb ticket, not type password.

i have enabled gss api options in my sshd.config.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


restarted opensshd but it doesnt work:

mmezzano...@os112:~> ssh -vvv mmezzano...@os112.vmwarelab.int
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.
debug1: Connection established.
debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1
debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 513/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.
debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3
debug2: bits set: 512/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))
debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa
debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
Received disconnect from 192.168.86.14: 2: Too many authentication
failures for mmezzanotti


bellow the lines about gssapi auth:

debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method

anyone could help me?

another question, i downloaded a lot of patched putty clients with
gssapi support (to use on windows machines), what is the correct one?

thank you,
Marcello

--
Marcello Mezzanotti <marcello.mezzano...@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

 
 
Ce message contient des informations confidentielles destinées uniquement à 
kerberos@mit.edu, marcello.mezzano...@gmail.com. Si vous n'êtes pas 
kerberos@mit.edu, marcello.mezzano...@gmail.com, vous ne devez pas diffuser, 
distribuer ni copier ce message électronique. Si vous avez reçu ce message 
électronique par erreur, veuillez en notifier immédiatement 
s.cor...@cerberis.com par messagerie électronique et supprimer le message de 
votre système. Il n’est pas possible de garantir que les communications par 
messagerie électronique se feront de manière totalement sécurisée et exempte 
d’erreur en raison des possibilités d’interception, de corruption, de perte, de 
destruction, de réception tardive ou incomplète ou de la présence de virus. De 
ce fait,  décline toute responsabilité en cas d’erreur ou d’omission dans le 
contenu de ce message en raison de sa transmission par messagerie électronique. 
Si une vérification s’avère nécessaire, veuillez demander une copie imprimée.
 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to