Re: openssh + kerberos + windows ad

Mon, 04 Jan 2010 09:58:32 -0800 

Javier,

Im trying  ticket auth, password auth against AD (KDC) (krb+ldap pam)
is working fine:

mmezzano...@os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzano...@vmwarelab.int

Valid starting     Expires            Service principal
01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/vmwarelab....@vmwarelab.int
        renew until 01/05/10 13:58:36
01/04/10 14:09:23  01/04/10 23:58:37  host/os112.vmwarelab....@vmwarelab.int
        renew until 01/05/10 13:58:36

i got this tickets doing ssh with password auth but now i have tickets
i want to use ssh without password (just tickets)

thank you,
marcello

On Mon, Jan 4, 2010 at 3:41 PM, Javier Palacios <javi...@gmail.com> wrote:
>> login as: mmezzanotti
>> Using keyboard-interactive authentication.
>> Password:
>> Last login: Wed Dec 30 14:00:19 2009 from localhost
>> Have a lot of fun...
>> mmezzano...@os112:~> ls
>> bin      Documents  Music     Public       Templates
>> Desktop  Download   Pictures  public_html  Videos
>> mmezzano...@os112:~> klist
>> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
>> Default principal: mmezzano...@vmwarelab.int
>>
>> Valid starting     Expires            Service principal
>> 01/04/10 13:58:36  01/04/10 23:58:37  krbtgt/vmwarelab....@vmwarelab.int
>>        renew until 01/05/10 13:58:36
>
> I'm not sure if you are actually testing ticket authentication, but
> just kerberos password authentication (by far much easier).
> To actually check what you want, I recommend you start working just on
> the linux node, and enter as whichever user. then
> # kinit mmezzanotti
> # ssh mmezzano...@os112
> If it does ask you for password, then credential authentication is not
> working. And depending if your TGT was proxyable or not, you might
> even end with void output from klist.
>
> Someone answered about the need of a host keytab to achieve this. As
> far as I remember that is not mandatory for linux (or wasn't for a
> debian in 2004), but take into account.
>
>> mmezzano...@os112:~> ssh -vvv mmezzano...@os112.vmwarelab.int
>>
>
> Try adding 'debug' to all pam.d lines on kerberos. That will produce a
> much less verbose and hopefully more useful info.
>



-- 
Marcello Mezzanotti <marcello.mezzano...@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to