Hi Marcello, A while ago I created the same construction that you want: ssh to a Linux machine and login automatically with Kerberos. My KDC also is a Windows 2003 box with UNIX Services installed. It's been a while, and I don't remember a lot of details. I remember it did take quit a bit of work though :)
In the logs you sent, I can't really find anything, but it "feels" like an incomplete SSH daemon configuration. In my sshd-config there are also these lines: PasswordAuthentication no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes On my client machine, I configured /etc/ssh/ssh_config with: GSSAPIKeyExchange yes GSSAPITrustDNS yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes I hope this will help you a bit. If not, please post the configuration of both the ssh-server and the ssh-client and I'll have a closer look. Kind regards, Hans Marcello Mezzanotti wrote: > Hi all, > > im not sure if its the correct list but, > > Im trying to do kind of SSO, basically, i want to ssh a remote linux > machine, using openssh/putty (what version), without password prompt, > just with kerberos ticket. > > I have the following scenario: > > Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain > Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion > against my DC, its working fine, i can login remotely and localy with > my AD credentials and its working fine, as you can see bellow: > > login as: mmezzanotti > Using keyboard-interactive authentication. > Password: > Last login: Wed Dec 30 14:00:19 2009 from localhost > Have a lot of fun... > mmezzano...@os112:~> ls > bin Documents Music Public Templates > Desktop Download Pictures public_html Videos > mmezzano...@os112:~> klist > Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx > Default principal: mmezzano...@vmwarelab.int > > Valid starting Expires Service principal > 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/vmwarelab....@vmwarelab.int > renew until 01/05/10 13:58:36 > mmezzano...@os112:~> > > > this linux machine in on my AD domain and i have a valid krb ticket. > > im trying to use ssh to connect to this server, but i want to use my > krb ticket, not type password. > > i have enabled gss api options in my sshd.config. > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > > restarted opensshd but it doesnt work: > > mmezzano...@os112:~> ssh -vvv mmezzano...@os112.vmwarelab.int > OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22. > debug1: Connection established. > debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1 > debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2 > debug1: match: OpenSSH_5.2 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.2 > debug2: fd 3 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com,zlib > debug2: kex_parse_kexinit: none,z...@openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com > debug2: kex_parse_kexinit: none,z...@openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 130/256 > debug2: bits set: 513/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 3 > debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 3 > debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key. > debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3 > debug2: bits set: 512/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil)) > debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug3: start over, passed a different list > publickey,gssapi-with-mic,keyboard-interactive > debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa > debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa > debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa > debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > Received disconnect from 192.168.86.14: 2: Too many authentication > failures for mmezzanotti > > > bellow the lines about gssapi auth: > > debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug2: we did not send a packet, disable method > > anyone could help me? > > another question, i downloaded a lot of patched putty clients with > gssapi support (to use on windows machines), what is the correct one? > > thank you, > Marcello > > -- > Marcello Mezzanotti <marcello.mezzano...@gmail.com> > http://blogdomarcello.wordpress.com > Information Security > UNIX / Linux / *BSD > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
