Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
Nicolas Williams wrote: > > # One or both of GSSAPIAuthentication and GSSAPIKeyExchange must be on > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > GSSAPIStoreDelegatedCredentials yes > The defaults for all of these is yes, we did not have to change the the /etc/ssh/sshd_config. >Restart the ssh service if you had to change this. > > 2) On the client side make sure that you have credentials to delegate >(klist -f should show a forwardable TGT in your ccache). > Yes. > 3) On the client make sure that you're not disabling the relevant >ssh_config(4) parameters in /etc/ssh/ssh_config or in ~/.ssh/config, >particularly GSSAPIDelegateCredentials. > yes. > To debug this try running ssh -vvv. If that does not produce enough > information then try running sshd in dbug mode as well: > > # /usr/lib/ssh/sshd -dddp > ... > > % ssh -p ... > ... > > Capture the output and send it to me. > >>> We force ssh via PAM to be a session based cred, and get AFS token too: >>> >>> # Used by GSS, but ssh has bug about saving creds, so we use session >>> based creds. >> That kind of explains things then. I guess it's a bug, eh? > > It's not. I disagree. Using a user based cache vs a session based cache can lead to deleted tickets when a session ends, or user logs off the console. We also saw that only the TGT would get updated, and not the other tickets in the cache. Doug is doing something that is very specific to his site. Not really, Jeff Blaine is also on the AFS list, and I bet that where he is heading is getting AFS tokens... > > Nico -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
On Thu, Nov 01, 2007 at 04:31:39PM -0400, Jeff Blaine wrote: > Douglas E. Engert wrote: > > Jeff Blaine wrote: > >> I apologize for the general nature of this post. Maybe it's > >> better posted to the secureshell list which is loaded with > >> spam and is often choked up sitting on some server somewhere, > >> but... > >> > >> I can ssh with GSSAPI auth to a Solaris 10 box fine. When > >> I'm in though, klist says I have no credential cache and > >> there's nothing useful in /tmp. > > > > What does your /etc/pam.conf look like? Doug, that should have little or nothing to do with this in S10. > I was using the sshd non-PAM GSSAPIAuthentication (enabled > by default). OK, really specific instructions: 1) On the server make sure that you are not setting the following sshd_config(4) parameters or that you set them as follows: # One or both of GSSAPIAuthentication and GSSAPIKeyExchange must be on GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStoreDelegatedCredentials yes Restart the ssh service if you had to change this. 2) On the client side make sure that you have credentials to delegate (klist -f should show a forwardable TGT in your ccache). 3) On the client make sure that you're not disabling the relevant ssh_config(4) parameters in /etc/ssh/ssh_config or in ~/.ssh/config, particularly GSSAPIDelegateCredentials. To debug this try running ssh -vvv. If that does not produce enough information then try running sshd in dbug mode as well: # /usr/lib/ssh/sshd -dddp ... % ssh -p ... ... Capture the output and send it to me. > > We force ssh via PAM to be a session based cred, and get AFS token too: > > > > # Used by GSS, but ssh has bug about saving creds, so we use session > > based creds. > > That kind of explains things then. I guess it's a bug, eh? It's not. Doug is doing something that is very specific to his site. Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
On Thu, Nov 01, 2007 at 03:33:08PM -0500, Nicolas Williams wrote: > On Thu, Nov 01, 2007 at 04:05:55PM -0400, Roberto C. Sánchez wrote: > > On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote: > > > Has anyone come across this and found an answer? > > > > $ grep GSSAPI ~/.ssh/config > > GSSAPIAuthentication yes > > GSSAPIDelegateCredentials yes > > You also need to kinit -f or set forwardable = true in the [libdefaults] > section of krb5.conf(4). > Yes. Quite right. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
On Thu, Nov 01, 2007 at 04:05:55PM -0400, Roberto C. Sánchez wrote: > On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote: > > Has anyone come across this and found an answer? > > $ grep GSSAPI ~/.ssh/config > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes You also need to kinit -f or set forwardable = true in the [libdefaults] section of krb5.conf(4). Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
Douglas E. Engert wrote: > Jeff Blaine wrote: >> I apologize for the general nature of this post. Maybe it's >> better posted to the secureshell list which is loaded with >> spam and is often choked up sitting on some server somewhere, >> but... >> >> I can ssh with GSSAPI auth to a Solaris 10 box fine. When >> I'm in though, klist says I have no credential cache and >> there's nothing useful in /tmp. > > What does your /etc/pam.conf look like? I was using the sshd non-PAM GSSAPIAuthentication (enabled by default). > We force ssh via PAM to be a session based cred, and get AFS token too: > > # Used by GSS, but ssh has bug about saving creds, so we use session > based creds. That kind of explains things then. I guess it's a bug, eh? PAM works better for us anyway, I was just thinking I might have poor luck with it and ticket forwarding. I'll give it a shot. > sshd-gssapi account requisite pam_roles.so.1 > sshd-gssapi account required pam_unix_account.so.1 > sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 > ccache=/tmp/krb5cc_%u_%p > > sshd-gssapi session required pam_unix_session.so.1 > sshd-gssapi session required /krb5/lib/pam_afs2.so.1 > sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen I'll > See: > ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar > ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar > >> >> Has anyone come across this and found an answer? >> >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: transferring a Windows ticket to Solaris for smbclient to use.
[EMAIL PROTECTED] wrote: > I authenticate to a Windows 2003 KDC from Solaris 10 with kinit and > then use smbclient -k But I want to eliminate the need to do > kinit by automatically transferring the existing ticket from Windows > before invoking smbclient. This is needed to automate some file > transfers. I cannot find this scenario documented. Will this work? > Where is the ticket located on Windows and what are the mechanisms for > transferring it to Solaris? > -Keith > How are you connected to Solaris from Windows? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote: > > I can ssh with GSSAPI auth to a Solaris 10 box fine. When > I'm in though, klist says I have no credential cache and > there's nothing useful in /tmp. > > Has anyone come across this and found an answer? $ grep GSSAPI ~/.ssh/config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
Jeff Blaine wrote: > I apologize for the general nature of this post. Maybe it's > better posted to the secureshell list which is loaded with > spam and is often choked up sitting on some server somewhere, > but... > > I can ssh with GSSAPI auth to a Solaris 10 box fine. When > I'm in though, klist says I have no credential cache and > there's nothing useful in /tmp. What does your /etc/pam.conf look like? We force ssh via PAM to be a session based cred, and get AFS token too: # Used by GSS, but ssh has bug about saving creds, so we use session based creds. sshd-gssapi account requisite pam_roles.so.1 sshd-gssapi account required pam_unix_account.so.1 sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p sshd-gssapi session required pam_unix_session.so.1 sshd-gssapi session required /krb5/lib/pam_afs2.so.1 sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 cleaen See: ftp://achilles.ctd.anl.gov/pub/DEE/pam_krb5_ccache-0.1.tar ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar > > Has anyone come across this and found an answer? > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Solaris 10 sshd + GSSAPI = where's my cred cache?
On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote: > I apologize for the general nature of this post. Maybe it's > better posted to the secureshell list which is loaded with > spam and is often choked up sitting on some server somewhere, > but... > > I can ssh with GSSAPI auth to a Solaris 10 box fine. When > I'm in though, klist says I have no credential cache and > there's nothing useful in /tmp. > > Has anyone come across this and found an answer? Did you delegate a credential? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Solaris 10 sshd + GSSAPI = where's my cred cache?
I apologize for the general nature of this post. Maybe it's better posted to the secureshell list which is loaded with spam and is often choked up sitting on some server somewhere, but... I can ssh with GSSAPI auth to a Solaris 10 box fine. When I'm in though, klist says I have no credential cache and there's nothing useful in /tmp. Has anyone come across this and found an answer? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
transferring a Windows ticket to Solaris for smbclient to use.
I authenticate to a Windows 2003 KDC from Solaris 10 with kinit and then use smbclient -k But I want to eliminate the need to do kinit by automatically transferring the existing ticket from Windows before invoking smbclient. This is needed to automate some file transfers. I cannot find this scenario documented. Will this work? Where is the ticket located on Windows and what are the mechanisms for transferring it to Solaris? -Keith Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Changing password using slave KDC
On Nov 1, 2007, at 07:17, Sachin Punadikar wrote: > I carried out the change. Added an entry of "kdc=master-kdc" after the > existing "kdc=slave-kdc". But still it fails to get the ticket of new > password. > It works fine when "master_kdc=master-kdc" exists. > > So is it expected behavior ? This is expected. If the library detects a "wrong password" type of error, it will try talking to the master KDC if it finds one configured. It won't simply walk through all of the KDCs. (The model is, roughly, that the slaves all get updated from the master at about the same time, so talking to other slaves won't help. But if there is a master, its data may be more recent than the slaves'.) In regard to a question in your earlier email, if the LDAP database back end is used on the KDC, the password change should immediately be seen by the slave KDC. Perhaps not *quite* immediately, if you're replicating your LDAP service and your slave KDC is looking at a different LDAP server than the master KDC; I'm unfamiliar with the details of LDAP data replication in various implementations. Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Changing password using slave KDC
Hi Jeffrey, I carried out the change. Added an entry of "kdc=master-kdc" after the existing "kdc=slave-kdc". But still it fails to get the ticket of new password. It works fine when "master_kdc=master-kdc" exists. So is it expected behavior ? Thanks in advance. - Sachin. On 11/1/07, Jeffrey Altman <[EMAIL PROTECTED]> wrote: > > Please do not send non-development requests to the krbdev mailing list. > > Slave databases are read-only. Only the master database can be used > for password change. The master kdc must be listed in the KDC list > either as an additional > > kdc=master-kdc > > or > > master_kdc=master-kdc > > entry or both. > > Jeffrey Altman > > > Sachin Punadikar wrote: > > Hello, > > > > I have Kerberos (MIT 1.5.4 release) configured as master and slave. At > the > > client side krb5.conf file I am mentioning kdc=slave-kdc. And this is > the > > only entry in the krb5.conf file which talks about KDC. > > In this scenario if the attribute "needchange" is set then, it prompts > for > > the password change but finally it fails to get the ticket with the > newly > > changed password. This may be because it is trying to get the ticket > from > > the slave. But slave will not have updated database at that moment. > > So is it recommended to try for password change, only when "master_kdc" > > entry in the krb5.conf file exists? > > Or is there any mechanism by which one can update slave KDC database > > instantenously, so above scenario will work ? > > > > Please advice. > > > > - Sachin. > > ___ > > krbdev mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/krbdev > > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Changing password using slave KDC
Please do not send non-development requests to the krbdev mailing list. Slave databases are read-only. Only the master database can be used for password change. The master kdc must be listed in the KDC list either as an additional kdc=master-kdc or master_kdc=master-kdc entry or both. Jeffrey Altman Sachin Punadikar wrote: > Hello, > > I have Kerberos (MIT 1.5.4 release) configured as master and slave. At the > client side krb5.conf file I am mentioning kdc=slave-kdc. And this is the > only entry in the krb5.conf file which talks about KDC. > In this scenario if the attribute "needchange" is set then, it prompts for > the password change but finally it fails to get the ticket with the newly > changed password. This may be because it is trying to get the ticket from > the slave. But slave will not have updated database at that moment. > So is it recommended to try for password change, only when "master_kdc" > entry in the krb5.conf file exists? > Or is there any mechanism by which one can update slave KDC database > instantenously, so above scenario will work ? > > Please advice. > > - Sachin. > ___ > krbdev mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/krbdev smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Changing password using slave KDC
Hello, I have Kerberos (MIT 1.5.4 release) configured as master and slave. At the client side krb5.conf file I am mentioning kdc=slave-kdc. And this is the only entry in the krb5.conf file which talks about KDC. In this scenario if the attribute "needchange" is set then, it prompts for the password change but finally it fails to get the ticket with the newly changed password. This may be because it is trying to get the ticket from the slave. But slave will not have updated database at that moment. So is it recommended to try for password change, only when "master_kdc" entry in the krb5.conf file exists? Or is there any mechanism by which one can update slave KDC database instantenously, so above scenario will work ? Please advice. - Sachin. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: regarding Kerberos APIs
What API calls of MIT Kerberos are you using? The SSPI provides functionality similar to the GSSAPI provided by MIT Kerberos. Jeffrey Altman Prerana wrote: > Hello, > > Initially I started porting MIT Kerberos on windows CE. I got many replies > that Windows CE has its own Kerberos APIs (called SSPI). But I am little > confused about the APIs explored by MIT Kerberos matching with Windows CE > Kerberos APIs. > > I want to replace all the API calls of MIT Kerberos (in my application) to > API calls with WIN CE Kerberos. > > Does anyone know about it? > > > > Regards, > > Prerana > > > DISCLAIMER > == > This e-mail may contain privileged and confidential information which is the > property of Persistent Systems Ltd. It is intended only for the use of the > individual or entity to which it is addressed. If you are not the intended > recipient, you are not authorized to read, retain, copy, print, distribute or > use this message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Persistent Systems > Ltd. does not accept any liability for virus infected mails. > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
