Re: SSH and The requires_pre_auth attribute

"Dan Mahoney (Gushi)" writes: > 1) Is my "if it's on the host entry, it must be on the user entry" > basically accurate? Yes. Therefore, because of this, unless you are *certain* that every principal that needs to authenticate to another principal will have requires pre-auth set, you should no

RE: SSH using Kerberos in 2 AD domains

Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SSH using Kerberos in 2 AD domains

The text of this message seems to have been eaten by the mailing list software (perhaps it was sent as an attachment?); I have it from the moderation queue. For historical reasons, auth_to_local rules are read from the default realm, not the realm of the principal being authorized. So you need to

Re: SSH and short-name machine credentials

On 05/30/2014 09:58 AM, Jaap wrote: > When SSH with Kerberos authentication is used, how can destination hosts > with short-name machine credentials be accessed? In krb5 1.12, we support dns_canonicalize_hostname=false in the [libdefaults] section of krb5.conf. This disables all canonicalization

Re: SSH and short-name machine credentials

On Fri, 30 May 2014, Jaap wrote: > Hi folks, > > When SSH with Kerberos authentication is used, how can destination hosts > with short-name machine credentials be accessed? > > For example, when the destination host has machine credentials in the > form "host/.@" accessing it with SSH is no proble

Re: ssh with expired tgt

Windows clients will handle this automatically by giving the user the kerberos password prompt. In that case it's done in the kerb library. For unix (and mac) clients this doesn't happen. The easiest solution is to wrap the ssh binary with an expiration checker tool. Another route is to deploy

Re: ssh gssapi-with-mic and "Key table entry not found"

On 08/08/2012 12:33 PM, Greg Hudson wrote: > If the server is running krb5 1.7 or later, this kind of problem should > result in a "Wrong principal in request" error in the sshd output (which > is still not very clear, but at least helps distinguish the problem from > sshd trying to acquire the wro

Re: ssh gssapi-with-mic and "Key table entry not found"

On 08/08/2012 12:03 PM, Matt Garman wrote: > I don't know enough about how Kerberos works, but I'll speculate a > guess as to what was wrong yesterday: after a failed gssapi-with-mic > login attempt, some "residual stuff" gets attached to the original > TGT, some kind of "cache" of the "permission

Re: ssh gssapi-with-mic and "Key table entry not found"

On Tue, Aug 7, 2012 at 11:40 PM, Greg Hudson wrote: > On 08/07/2012 01:23 PM, Matt Garman wrote: >> [root@lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts >> 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 >> [root@lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts >> 192.168.187.67 l

Re: ssh gssapi-with-mic and "Key table entry not found"

On 08/07/2012 01:23 PM, Matt Garman wrote: > [root@lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts > 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 > [root@lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts > 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 > [root@lnxsvr11 ~]#

Re: ssh gssapi-with-mic and "Key table entry not found"

On Tue, Aug 7, 2012 at 1:21 PM, Simo Sorce wrote: > On Tue, 2012-08-07 at 12:58 -0500, Matt Garman wrote: >> On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce wrote: >> > What does the 'hostname' command return on your machine ? >> > >> [root@lnxsvr11 ~]# hostname >> lnxsvr11 >> >> [root@lnxsvr11 ~]# h

Re: ssh gssapi-with-mic and "Key table entry not found"

On Tue, 2012-08-07 at 12:58 -0500, Matt Garman wrote: > On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce wrote: > > What does the 'hostname' command return on your machine ? > > > > Simo. > > > [root@lnxsvr11 ~]# hostname > lnxsvr11 > > [root@lnxsvr11 ~]# hostname -s > lnxsvr11 > > [root@lnxsvr11 ~

Re: ssh gssapi-with-mic and "Key table entry not found"

On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce wrote: > What does the 'hostname' command return on your machine ? > > Simo. [root@lnxsvr11 ~]# hostname lnxsvr11 [root@lnxsvr11 ~]# hostname -s lnxsvr11 [root@lnxsvr11 ~]# hostname -f lnxsvr11.mydomain.com -Matt ___

Re: ssh gssapi-with-mic and "Key table entry not found"

On Tue, 2012-08-07 at 12:23 -0500, Matt Garman wrote: > Hi, > > I'm trying to get ssh working using gssapi-with-mic authentication. I have > about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4 > mounts with "krb5p" security. All these machines mount the same NFSv4 share > (thi

Re: SSH, REQUIRES_PWCHANGE and policies problem

On Thu, 2011-09-01 at 19:11 -0400, Russ Allbery wrote: > Okay, this is indeed all being handled internally by the Kerberos library. > Maybe one of the MIT Kerberos folks can comment about how errors are > reported through the Kerberos prompter facility. If a password change fails with a "soft erro

Re: SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos writes: > On 2011-09-02 01:11, Russ Allbery wrote: >> A workaround would be to set defer_pwchange in the PAM options, which I >> believe ssh will handle correctly and which will restore control over >> the messaging to the PAM module. However, read the caveats for that >> option

Re: SSH, REQUIRES_PWCHANGE and policies problem

On 2011-09-02 01:11, Russ Allbery wrote: > The problem from SSH's perspective is that since it's doing an > authentication, not a password change, it doesn't know that the password > change failed. All that PAM can tell it is that the authentication > failed, not why (in this case a forced and fai

Re: SSH, REQUIRES_PWCHANGE and policies problem

On 2011-09-02 00:42, Russ Allbery wrote: > Andreas Ntaflos writes: > >> However, when a policy is set, and the user's new password does not >> conform to that policy, SSH does not inform the user of the problem, it >> simply re-prompts for the original password and then asks for a new >> password

Re: SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos writes: > It seems indeed that SSH gets informed that the password change failed, > but doesn't know much else. I don't see a message prefixed with > "krb5_change_password", I'm afraid. Okay, this is indeed all being handled internally by the Kerberos library. Maybe one of the MI

Re: SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos writes: > However, when a policy is set, and the user's new password does not > conform to that policy, SSH does not inform the user of the problem, it > simply re-prompts for the original password and then asks for a new > password again. Naturally, a user will find this confusin

Re: SSH mediated Kerberos authenticated sudo.

On Fri, May 13, 2011 at 12:08 AM, wrote: > The next release will have a PAM module which handles the > authentication of the forwarded AP-REQ packet. That will eliminate > the need for the sudo patch and provide a general mechanism for any > application to leverage this system. > That sounds gr

Re: SSH mediated Kerberos authenticated sudo.

On May 11, 1:00pm, Frank Cusack wrote: } Subject: Re: SSH mediated Kerberos authenticated sudo. > On Wed, Dec 22, 2010 at 10:31 AM, wrote: > > > ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz > > > Revisiting this. Hi Frank, hope the week has gone well for you a

Re: SSH mediated Kerberos authenticated sudo.

On Wed, Dec 22, 2010 at 10:31 AM, wrote: > ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz > Revisiting this. In my followup idea on having the server initiate the request for the fresh credential, any thoughts on how to present a secure UI to the user so that he knows this is ACTUALLY a lo

Re: ssh to IP literal

Greg Hudson wrote: [dd] > > But earlier you said that DNS-canonicalization of the gethostname() is > > used. If we have no DNS, who will canonicalize the hostname? > That's shorthand because so many installations use DNS for hostname > resolution. Heimdal uses getaddrinfo() for its canonicaliza

Re: ssh to IP literal

On Tue, 2010-12-21 at 22:57 -0500, Victor Sudakov wrote: > This setting must be specific to MIT Kerberos, I don't see it in Heimdal. Whoops, sorry, in your initial message you said you were using Heimdal, but I missed it. Heimdal appears to perform a forward canonicalization but never a reverse l

Re: ssh to IP literal

Greg Hudson wrote: > > How does a service figure out the local hostname? > When they specify one at all, they generally call gethostname(), which > the library canonicalizes through a forward and reverse name lookup. > (The reverse part can be suppressed by setting rdns = false in > [libdefaults]

Re: ssh to IP literal

On Tue, 2010-12-21 at 00:28 -0500, Victor Sudakov wrote: > How does a service figure out the local hostname? When they specify one at all, they generally call gethostname(), which the library canonicalizes through a forward and reverse name lookup. (The reverse part can be suppressed by setting rd

Re: ssh to IP literal

Russ Allbery wrote: [dd] > > And another question. If a Kerberos-enabled server has several > > principals in its keytab, how exactly does it decide which one to > > use? > It uses whatever one the client uses, in general. There are some services > that limit what principals they'll accept to o

Re: ssh to IP literal

On Sun, 2010-12-19 at 14:36 -0500, Russ Allbery wrote: > It uses whatever one the client uses, in general. Actually, as of MIT krb5 1.7, we usually ignore the principal sent by the client, because it might be an alias. If the server application doesn't specify a principal, we just try every entry

Re: ssh to IP literal

Victor Sudakov writes: > Russ Allbery wrote: >> If you add an explicit domain_realm mapping for each IP address to the >> [domain_realm] section of your krb5.conf file, it will probably work, but >> it's generally a much better idea to use real host names (possibly in some >> private domain endin

Re: ssh to IP literal

Russ Allbery wrote: [dd] > If you add an explicit domain_realm mapping for each IP address to the > [domain_realm] section of your krb5.conf file, it will probably work, but > it's generally a much better idea to use real host names (possibly in some > private domain ending in .local or some simi

Re: ssh to IP literal

On Mon, Dec 13, 2010 at 06:52:08AM +, Victor Sudakov wrote: > I still don't quite understand why it should try to contact a weird > realm while I have > > [libdefaults] > default_realm = SIBPTUS.TOMSK.RU > > in /etc/krb5.conf. Shouldn't it request a ticket for > host/10.14.13...@sibptus.tom

Re: ssh to IP literal

Russ Allbery wrote: > > Is it a bad thing to use IP literals as Kerberos principals? > Well, it poses a problem for domain to realm mappings, as you've seen. > > However, I am curious. When I try to "ssh u...@10.14.134.5", a very > > strange ticket is being requested from the KDC: > > 2010-12-13

Re: ssh to IP literal

On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote: > On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote: > > Well, it poses a problem for domain to realm mappings, as you've seen. > > What Russ says is true, but on top of that, the Kerberos library also > needs to know what service ti

Re: ssh to IP literal

On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote: > Well, it poses a problem for domain to realm mappings, as you've seen. What Russ says is true, but on top of that, the Kerberos library also needs to know what service ticket to ask for. It's likely that the client tried to get tickets for

Re: ssh to IP literal

Victor Sudakov writes: > Is it a bad thing to use IP literals as Kerberos principals? Well, it poses a problem for domain to realm mappings, as you've seen. > However, I am curious. When I try to "ssh u...@10.14.134.5", a very > strange ticket is being requested from the KDC: > 2010-12-13T09:1

Re: ssh GSSAPI and auth_to_local

On 09/29/2010 10:34 AM, Douglas E. Engert wrote: > > On 9/27/2010 8:11 PM, Tom Parker wrote: >> I apologize for the long posting. I am stumped here and my scenario >> is a bit complex. >> >> As I am sure the list has noticed from all my questions, in the past few >> weeks I have been trying

Re: ssh GSSAPI and auth_to_local

On 9/27/2010 8:11 PM, Tom Parker wrote: >I apologize for the long posting. I am stumped here and my scenario > is a bit complex. > > As I am sure the list has noticed from all my questions, in the past few > weeks I have been trying to build a distributed Kerberos/LDAP system > with hosts sc

Re: ssh GSSAPI and auth_to_local

On Mon, 2010-09-27 at 21:11 -0400, Tom Parker wrote: > [realms] > CENTRAL = { > auth_to_local = RULE:[1:$...@central] > auth_to_local = RULE:[2:$...@central] > } > > This works great for ssh with passwords but it has totally broken the > GSSAPI Single S

Re: SSH with Kerberos from Windows XP

Mantas Mikulėnas wrote: > Hello everyone. I'm new here, so please don't hurt me. > > I want to use Kerberos authentication when SSHing from a home Windows XP > machine to a remote network. How do I configure my PC? > > > > Client PC: > * Microsoft Windows XP Pro SP3 > * stand-alone home PC (d

Re: SSH configuration

> I am getting "No Valid Key Exchange Context" > Seb-27 wrote: > > On 2008-07-29, bodik <[EMAIL PROTECTED]> wrote: >> * sshd_config >> KerberosAuthentication yes >> KerberosOrLocalPasswd yes >> KerberosTicketCleanup yes > > that's for Kerberos 4; for version 5 you need: > > GSSAPIAuthen

RE: SSH configuration

Sent: Wednesday, July 30, 2008 7:05 AM To: kerberos@mit.edu Subject: Re: SSH configuration > I am getting the initial krtgt ticket and the service ticket also when > I am trying to do ssh. But still the ssh is asking for passowrd. I > have done the configuration required in the ssh and

Re: SSH configuration

> I am getting the initial krtgt ticket and the service ticket also when I > am trying to do ssh. But still the ssh is asking for passowrd. I have done > the configuration required in the ssh and sshd file. > > bodik wrote: > > hi, > > I think, that you also need: > > * krb5.conf > a prop

Re: SSH configuration

On 2008-07-29, bodik <[EMAIL PROTECTED]> wrote: > * sshd_config > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes that's for Kerberos 4; for version 5 you need: GSSAPIAuthentication yes GSSAPICleanupCredentials yes Cheers, --Seb __

Re: SSH configuration

hi, I think, that you also need: * krb5.conf a proper configuration for your realm * sshd_config KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes * ssh_config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes * pam.d/ssh pam_krb5.so * krb5.keytab service k

Re: SSH configuration

Hi, On 29/07/2008, at 6:43 PM, Abhishek Chowdhury wrote: > > I want to configure passwordless ssh after successful kinit. > > for that I have to change configurations in etc/ssh_config: > > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > but we dont have these options in ssh_config

RE: ssh publickey auth w/ kerb

Thank you for the clarification. Brian > -Original Message- > From: Tom Yu [mailto:[EMAIL PROTECTED] > Sent: Monday, June 02, 2008 1:55 PM > To: Whitehead, Brian > Cc: Douglas E. Engert; kerberos@MIT.EDU > Subject: Re: ssh publickey auth w/ kerb > > &q

Re: ssh publickey auth w/ kerb

"Whitehead, Brian" <[EMAIL PROTECTED]> writes: > I'm thinking of the server being ssh'd to ask a kerberos client, because > it is authenticating the user against the AD server using kerberos. Are you considering the ssh server to be a Kerberos client? While that may be a valid interpretation,

RE: ssh publickey auth w/ kerb

; To: Whitehead, Brian > Cc: kerberos@mit.edu > Subject: Re: ssh publickey auth w/ kerb > > > > Brian Whitehead wrote: > > Using ssh -vvv shows that the public key is working, but no matter > > what I'm prompted for a password. > > > >

Re: ssh publickey auth w/ kerb

Brian Whitehead wrote: > Using ssh -vvv shows that the public key is working, but no matter what > I'm prompted for a password. > > Also, is a keytab file from the AD server with the client principal > absolutely necessary? With the client? No. Keytab normally have service principals, used

Re: SSH, expired pwd, change rejected

[EMAIL PROTECTED] writes: > SSH seems to use passwd to change the password, which seems to behave > quite different on each machine. Sometimes, this works pretty well, but > most of the time, the password is rejected. The is not a matter of a bad > chosen pwd. ssh is probably not using passwd.

Re: ssh from windows xp (putty with kerberos) using NetIDMgr 1.1.8.0 (Kerberos for windows 3.1)

You can find the version I built at http://web.mit.edu/jaltman/Public/putty-with-gssapi/ Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/list

Re: ssh from windows xp (putty with kerberos) using NetIDMgr 1.1.8.0 (Kerberos for windows 3.1)

Greg Sullivan wrote: > Has anyone got a version of putty to work with the Kerberos for > Windows release 3.1? > I'm running win xp and am able to get my kerberos 5 tokens fine (from > CSAIL.MIT.EDU) in NetIDMgr, but I've tried various supposedly > kerberos-aware versions of putty with no luck

Re: SSH with Multiple Interfaces

Since I googled for this, and couldn't find anything, I thought I post my results. Essentially, you have to set the hostname to the external interface, because otherwise anyone on the general internet will not ever see the internal DNS name (assuming you're keeping your internal DNS off the intern

Re: SSH with Multiple Interfaces

Nicolas Williams wrote: > Give your server host/f.q.d.n principals and keytab entries for all its > interfaces' canonical names. > Did that. SSH ignores them. > And get a client that know how to decode the SSH_MSG_KEXGSS_ERROR > message :) > > Nico > That's really not an option. In most cases

Re: SSH with Multiple Interfaces

On 18 Jan 2007, at 22:29, Russ Allbery wrote: > > Looks like you're running into this: > > > > I haven't heard anything further about this since this bug report, > and I'm > not sure if either Simon or OpenSSH upstream are interested.

Re: SSH with Multiple Interfaces

Edward Murrell <[EMAIL PROTECTED]> writes: > The problem stems from the fact that our the host in question resides on > both an internal (10.0.0.0/8) and external network (general internet), > and has two host names associated with it; > 34.88.99.100 foogazzi.example.com > 10.0.0.1 foog

Re: SSH with Multiple Interfaces

Give your server host/f.q.d.n principals and keytab entries for all its interfaces' canonical names. And get a client that know how to decode the SSH_MSG_KEXGSS_ERROR message :) Nico -- Kerberos mailing list Kerberos@mit.edu https://mail

Re: SSH with auth_to_local on common account

*dips his toe into the chilly waters of the off topic stream That's true. However, the LDAP server is on a different continent, so nscd isn't going to help that much. Well, it will, but it's not the entire solution. I have idly wondered sometimes if MS wasn't onto something with stuffing authent

Re: SSH with auth_to_local on common account

The solution is to have nscd running. At least that solved the issue for me. -BT Edward Murrell wrote: > In the interests of helping people with the same problem in the > future... I thought I'd post where I'm up to with this. > > So, pam_krb5 isn't sufficient to do this job. It would appear

Re: SSH with auth_to_local on common account

In the interests of helping people with the same problem in the future... I thought I'd post where I'm up to with this. So, pam_krb5 isn't sufficient to do this job. It would appear that SSH uses NSS to look up a list of users that do exist on the system. Since my local user doesn't exist, SSH al

Re: SSH Problem with Kerberos

Hi Konstantin, Try this http://www.stanford.edu/services/afs/sysadmin/install/redhat.html Kind Regards, Barry Allard Konstantin Boyanov wrote: >Hi there, > >I'm really new to all this Kerberos thing, so in the next sentences you may >find some true luser talk. Pleas forgive me :) > >I'm trying

Re: SSH issue

Hello Douglas, It seems it is because of an entry in my /etc/hosts file on hephaestus. my server zeus.home.elysium-os.nl is known on the internet as pki.elysium-os.nl So I did add pki.elysium-os.nl in my /etc/hosts to make sure that I no longer get pop-ups about incorrect SSL certificates on Ap

Re: SSH issue

Marcel Koopmans wrote: > Hello Klaas, > > hephaestus runs MacOSX 10.4.4 so the /etc/krb5.conf file is named > /Library/Preferences/edu.mit.Kerberos but it looks ok > > [libdefaults] > default_realm = HOME.ELYSIUM-OS.NL > > [realms] > HOME.ELYSIUM-OS.NL = { >kdc = zeus.home.elysium-os.n

Re: SSH issue

On Jan 17, 2006, at 13:24, Marcel Koopmans wrote: > Jan 17 19:16:48 zeus krb5kdc[2170](info): TGS_REQ (7 etypes {18 17 > 16 23 1 3 2}) 172.20.1.5: UNKNOWN_SERVER: authtime 1137492150, > [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] > OS.NL, Server not found in Kerberos database Looks like i

Re: SSH issue

Hello Marcel, Marcel Koopmans schrieb: > > [domain_realm] > home.elysium-os.nl = HOME.ELYSIUM-OS.NL > .home.elysium-os.nl = HOME.ELYSIUM-OS.NL ok > Jan 17 19:16:48 zeus krb5kdc[2170](info): TGS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 172.20.1.5: UNKNOWN_SERVER: authtime 1137492150, > [EMAIL P

Re: SSH issue

Hello Klaas, hephaestus runs MacOSX 10.4.4 so the /etc/krb5.conf file is named /Library/Preferences/edu.mit.Kerberos but it looks ok [libdefaults] default_realm = HOME.ELYSIUM-OS.NL [realms] HOME.ELYSIUM-OS.NL = { kdc = zeus.home.elysium-os.nl:88 admin_server = zeus.home.elysium-os.nl

Re: SSH issue

Hi marcel, check the domain-realm mapping in /etc/krb5.conf, maybe something there is wrong. then you can monitor krb5kdc.log while trying to access zeus and see whats going on. does principal marcel gets a service ticket for zeus? - Klaas Marcel Koopmans schrieb: > Hello everybody, > > I ha

Re: SSH issue

Hello Kenneth, I only have one single realm and all names in my realm use FQDN's. Filtered list of principals: host/[EMAIL PROTECTED] host/[EMAIL PROTECTED] host/[EMAIL PROTECTED] ssh/[EMAIL PROTECTED] ssh/[EMAIL PROTECTED] [EMAIL PROTECTED] with kind regards, Marcel Kenneth Grady wrote:

Re: SSH issue

Hello Vladimir, /etc/krb5.keytab did exist. Just for safety I did re-create it. It has host/[EMAIL PROTECTED] and ssh/[EMAIL PROTECTED] but it still does not solve the issue. with kind regards, Marcel Vladimir Terziev wrote: You don't have keytab installed on zeus On Tue, 17

Re: SSH issue

You don't have keytab installed on zeus On Tue, 17 Jan 2006 16:38:38 +0100 Marcel Koopmans <[EMAIL PROTECTED]> wrote: > Hello everybody, > > I have a issue with ssh to another computer > I use 3 computers, > > 1 zeus, the KDC that has sshd running > 2 hades, server that has sshd runn

Re: ssh-gssapi fails when user have "instance " part

jay alvarez <[EMAIL PROTECTED]> writes: > I created a user with an instance "mis" > jay/[EMAIL PROTECTED] > and tried ssh'ing to one machine configured to accept gssapi ssh > authentication, however, to my surprise, gssapi authentication > failed. Is there a .k5login file in jay's hom

Re: ssh using gssapi athentication without local account existing on the target machine

jay alvarez wrote: Hi, I already got it working but ssh requires local accounts to exist in the machine for it to actually > allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have > any user account. Now I will ssh to machine A and authenti

Re: SSH and Kerberos in Solaris 9

I did and thanks. I now have a working krb5.conf file. I am able to run the kinit command and obtain a TGT. Now I have to get the Kerberos log on process working. Thanks for your help. If you write me back, I will be on vacation 11/4 - 11/14 and will respond after I get back. On 11/2/05, Will Five

Re: SSH and Kerberos in Solaris 9

On Wed, Nov 02, 2005 at 08:22:57AM -0800, [EMAIL PROTECTED] wrote: > Henrik, > > Unfortunately, I do not have any advice for you about your problem. > But I am working on getting Kerberos configured and have problems of my > own. I ran across your posting and thought that you might be able to > g

Re: SSH and Kerberos in Solaris 9

Henrik, Unfortunately, I do not have any advice for you about your problem. But I am working on getting Kerberos configured and have problems of my own. I ran across your posting and thought that you might be able to give me some help. I am using SEAM on a Solaris 9.0 system. I have a tried to

Re: SSH and Kerberos in Solaris 9

What is the rest of the environment? Is this all SEAM? Are your KDCs MIT, Heimdal or Windows ADs? We use the MIT code Kerberos code on Solaris 9, but on Solaris 10 we have been able to use the SOlaris Kerberos support. What version of SSH are you using? henrik wrote: Hello I have kerberos

Re: ssh kerberos + forwarding ticket

Frederic Medery wrote: Hello, openssh version : openssh-3.9p1 kerberos : krb5-server-1.2.7-28 on Redhat AS V3 I can connect t from station1 to server1 using kerberos auth. But the tgt is not forwared (even if kinit -f). Server1 have a princ (host/server1) in the krb5 DB and krb5.keytab. I though

Re: ssh-krb5 problems

Valid point about the user though. The user does need to exist on the target machine. I tend to create them with "adduser --disabled-password " so that the kerberos ticket is the only method by which they can access the machine. Limits the entry. D. David Kuhl Parity Systems [EMAIL PROTECTE

Re: ssh-krb5 problems

rachel elizabeth dillon wrote: I just tested this properly with a 1.3.4 implementation I built for someone else recently; I was incorrect. The only time that the KDC is not queried is if you do not have tickets to begin with. If you have valid realm tickets but try to log in with something like "s

Re: ssh-krb5 problems

Ken Raeburn wrote: On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote: 1. Are you trying to ssh as a user that exists on the other machine? If the user does not exist in the other machine's /etc/passwd, then I don't believe the KDC will ever be queried. That sounds like an undesirable leak

Re: ssh-krb5 problems

I just tested this properly with a 1.3.4 implementation I built for someone else recently; I was incorrect. The only time that the KDC is not queried is if you do not have tickets to begin with. If you have valid realm tickets but try to log in with something like "ssh -l fakename valid.host.com",

Re: ssh-krb5 problems

On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote: 1. Are you trying to ssh as a user that exists on the other machine? If the user does not exist in the other machine's /etc/passwd, then I don't believe the KDC will ever be queried. That sounds like an undesirable leak of information from t

Re: ssh-krb5 problems

I am not entirely sure what your situation or problem is, but here are some things you might try: 1. Are you trying to ssh as a user that exists on the other machine? If the user does not exist in the other machine's /etc/passwd, then I don't believe the KDC will ever be queried. 2. ssh -v -v -v

Re: ssh-krb5 problems

Do a "ssh -v hostname 2> ssh-log" and send that along so we can see the errors. The "2> ssh-log" part will re-direct standard error to a file called ssh-log. You should double check that each machine has the correct keytab. "k5srvutil list" will show the tickets on the local machine's keytab

Re: ssh-krb5 problems

Hi people, > I dont understand your answer Sorry.. i will try to explain better... > Le mardi 21 Septembre 2004 01:31, Ghe Rivero a écrit : >> El lun, 20-09-2004 a las 15:27 -0500, Luis Daniel Lucio Quiroz escribió: >> > do you have your host/fqdn.server2 realm done? or your >> > ssh/fqdn.se

Re: ssh-krb5 problems

do you have your host/fqdn.server2 realm done? or your ssh/fqdn.server2? El Domingo 19 Septiembre 2004 05:00, [EMAIL PROTECTED] escribió: > Hi people, > thks to all of you that help me some days ago. Know, i have a smaller > problem, but still is a problem. > > Scenario: 1 KDc, and two

Re: SSH with K5/AFS: anyone?

Douglas E. Engert wrote: > Since you are hiding your identity, I am reluctent to continue this > discussion. If you want help, you will need to show others on this list > what you have done first. You can use my academic mail [EMAIL PROTECTED] but I cannot use it outside my university. So, I bega

Re: SSH with K5/AFS: anyone?

Hej hej, Sensei <[EMAIL PROTECTED]> wrote: > Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a > passwordless ssh trusting the k5 tickets and granting the access to afs > using aklog (pam_openafs_session). I had problems too, after upgrading openssh from 3.6 to 3.8, that drive me

Re: SSH with K5/AFS: anyone?

Sensei wrote: Douglas E. Engert wrote: See http://bugzilla.mindrot.org/show_bug.cgi?id=918 Ok, but it doesn't work. Not with the patch, not with gssapi, not with pam, not with anything. Yes use it all the time with gssapi. So how it comes you have it working? What are your settings? Since yo

Re: SSH with K5/AFS: anyone?

Douglas E. Engert wrote: > See http://bugzilla.mindrot.org/show_bug.cgi?id=918 Ok, but it doesn't work. Not with the patch, not with gssapi, not with pam, not with anything. > Yes use it all the time with gssapi. So how it comes you have it working? What are your settings? I'm quite bored of s

Re: SSH with K5/AFS: anyone?

Sensei wrote: Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a passwordless ssh trusting the k5 tickets and granting the access to afs using aklog (pam_openafs_session). I have these configuration: server with debian stable, ssh 3.6 --- clients with gentoo ssh 3.9, nothing seems

Re: Ssh trouble with forwarding

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Matthijs Mohlmann) wrote: > On Tue, 2003-09-02 at 05:12, Donn Cave wrote: > > Quoth [EMAIL PROTECTED] (Matthijs Mohlmann): > > ... > > | Now when i try to login to my ssh service with the following command: > > | [EMAIL PROTECTED]:~$ ssh -A -K act

Re: Ssh trouble with forwarding

On Tue, 2003-09-02 at 05:12, Donn Cave wrote: > Quoth [EMAIL PROTECTED] (Matthijs Mohlmann): > > | I have trouble with ssh en forwarding. > ... > | Now when i try to login to my ssh service with the following command: > | [EMAIL PROTECTED]:~$ ssh -A -K active2.active2.homelinux.org > | Password: >

Re: Ssh trouble with forwarding

Quoth [EMAIL PROTECTED] (Matthijs Mohlmann): | I have trouble with ssh en forwarding. ... | Now when i try to login to my ssh service with the following command: | [EMAIL PROTECTED]:~$ ssh -A -K active2.active2.homelinux.org | Password: | | I don't want that password prompt. My ticket is enough to

Re: SSH as root with different principal SOLVED

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks to everybody who helped me to solve it. The only thing I didn't understand first was to add the host principal's key of the server I wanted to connect to to /etc/krb5.keytab on that server. What helped me most was to run the sshd daemon with hig

Re: SSH as root with different principal

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 31 Jul 2003, Vladimir Terziev wrote: > > Your ssh client even has not tryed to use kerberos. I have the following questions: > > 1. Did you make `kinit' before ssh? You have to get a ticket before try kerbelized > ssh. Yes, I did. > 2. Wo

Re: SSH as root with different principal

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 31 Jul 2003, Chris Clausen wrote: > Lukas Kubin <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Thu, 31 Jul 2003, Christopher D. Clausen wrote: > > > >> Did you do "apt-get install ssh-krb5" ? > > >

Re: SSH as root with different principal

Your ssh client even has not tryed to use kerberos. I have the following questions: 1. Did you make `kinit' before ssh? You have to get a ticket before try kerbelized ssh. 2. Would you supply the result from "ldd `which ssh`" ? Vlady On Thu, 31 Jul 2003 11:33:42 +0200 (CEST) Lukas K

Re: SSH as root with different principal

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 31 Jul 2003, Vladimir Terziev wrote: > > Please supply the full debug output from `ssh -v' and I'll try to figure out the > problem. > > > Vlady OK, thank you. The output follows: OpenSSH_3.6.1p2 Debian_krb5 3.6.1p2-1 Debian_krb5 3.

  1   2   >