Hi all,
im not sure if its the correct list but,
Im trying to do kind of SSO, basically, i want to ssh a remote linux
machine, using openssh/putty (what version), without password prompt,
just with kerberos ticket.
I have the following scenario:
Windows Server 2003 R2 (with Unix Services instal
Hi,
I know that Centrify provides a kerberised verion of Putty for free:
http://www.centrify.com/resources/putty.asp (just create a account, and
download it)
And this version is fully "compliant" with AD.
This is perhaps a good first step for you.
Regards
Sylvain
Sylvain Cortes
Par
Hans,
Thaks for your help, my sshd_config options match yours, sshd_config
doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.
I continue to receive the "we sent a gssapi-with-mic packet, wait for
reply" DEBUG message and the ssh tries password auth.
i saw something related to krb5.
Marcello,
Can you show us the output of klist -kte (as root) on the machine
running sshd? You need to have a proper keytab for ssh to use GSSAPI
authentication.
Against AD, you can generate a keytab using ktpass.exe. Make sure you
are using the 2003 SP2 version (or newer) of ktpass as some k
CDC,
Unfortunately i cant use IRC here, as i imagine i dont have any keytab file
os112:~ # klist -kte
Keytab name: WRFILE:/etc/krb5.keytab
klist: No such file or directory while starting keytab scan
how i can generate this file directly on linux?
if i generate this file on windows, can i export
> login as: mmezzanotti
> Using keyboard-interactive authentication.
> Password:
> Last login: Wed Dec 30 14:00:19 2009 from localhost
> Have a lot of fun...
> mmezzano...@os112:~> ls
> bin Documents Music Public Templates
> Desktop Download Pictures public_html Videos
> mmezza
Javier,
Im trying ticket auth, password auth against AD (KDC) (krb+ldap pam)
is working fine:
mmezzano...@os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzano...@vmwarelab.int
Valid starting ExpiresService principal
01/04/10 13:58:36 01/04/10 2
Hi Everyone
Happy New Year !
I'm trying to access a webapp (Apache2 + mod_auth_kerb) via Firefox
(NegociateAuth library, about:config negociate.nego*), protected by a
Kerberos Realm
In the /var/log/apache2/error.log, this error :
[...]
[Mon Jan 04 16:29:20 2010] [debug] src/mod_auth_kerb.c(691):
Hi Marcello,
A while ago I created the same construction that you want: ssh to a
Linux machine and login automatically with Kerberos. My KDC also is a
Windows 2003 box with UNIX Services installed. It's been a while, and I
don't remember a lot of details. I remember it did take quit a bit of
w
Sorry, i made a mistake :
this is not beetween "KRB5_KDC_UNREACH" and "dns_lookup_kdc"
... but beetween "KRB5_REALM_CANT_RESOLVE" and "dns_lookup_kdc"
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/
I just did :)
the problem was the keytab, i created using linux command "net ads
keytab create",
i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.
Is "Kerberos
Hi,
I have a new question regarding the setup of kerberos.
In each domain I need to run a ktpass command to create Key file and SPN on the
user
In each domain for the SPN I use HTTP/myserver.ad@domain1.com , I just
change the value of DOMAIN. This is correct or should I also change the valu
>> Server: CentOS 5.3, MIT Kerberos 1.6.x, Russ Alberry's pam_krb5
>
>> Failure: Aside from GSSAPI not being used...
>
>> sshd[12234]: pam_krb5RA(sshd:auth): pam_sm_authenticate: entry (0x1)
>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
>> authentication as jblaine at FOO
>> sshd
On 1/4/2010 3:29 PM, Jeff Blaine wrote:
>>> Server: CentOS 5.3, MIT Kerberos 1.6.x, Russ Alberry's pam_krb5
>>
>>> Failure: Aside from GSSAPI not being used...
>>
>>> sshd[12234]: pam_krb5RA(sshd:auth): pam_sm_authenticate: entry (0x1)
>>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempti
On 04.01.2010 21:17, Marcello Mezzanotti wrote:
> Is "Kerberos for Windows" necessary for Windows/Putty?
No it doesn't use KfW at least offical build only use SSPI. You also may
download just latest snapshot version it does include GSSAPI
authetication no need to search patched.
___
Nikolay, i just got ticket with putty 0.58 patched (the one i
mentioned earlier)
the others one i can login but i dont get any ticket.
On Mon, Jan 4, 2010 at 7:26 PM, Nikolay Shopik wrote:
> On 04.01.2010 21:17, Marcello Mezzanotti wrote:
>> Is "Kerberos for Windows" necessary for Windows/Putty?
I am attempting the same thing myself, almost. Please provide as many
details as you can.
My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
to use Windows PuTTY to log in to a Linux box that is running OpenSSH.
I also am running WireShark (formerly Ethereal) to monitor
Jeff Blaine writes:
> I happened to notice this (note the missing realm) after a
> failed GSSAPI attempt to the SSH server (mega):
> [r...@mega ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jbla...@foo
> Valid starting ExpiresService principal
> 01/04/10 16:1
On 1/4/2010 8:42 PM, Russ Allbery wrote:
Jeff Blaine writes:
I happened to notice this (note the missing realm) after a
failed GSSAPI attempt to the SSH server (mega):
[r...@mega ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jbla...@foo
Valid starting Expires
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Updated to reflect the need to authenticate for successful
exploitation. This decreases the severity level of the vulnerability.
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (
20 matches
Mail list logo
