Discussion:
openssh + kerberos + windows ad
(too old to reply)
Marcello Mezzanotti
2010-01-04 16:13:44 UTC
Permalink
Hi all,

Im trying to do kind of SSO, basically, i want to ssh a remote linux
machine, using openssh/putty (what version), without password prompt,
just with kerberos ticket.

I have the following scenario:

Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain
Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion
against my DC, its working fine, i can login remotely and localy with
my AD credentials and its working fine, as you can see bellow:

login as: mmezzanotti
Using keyboard-interactive authentication.
Password:
Last login: Wed Dec 30 14:00:19 2009 from localhost
Have a lot of fun...
***@os112:~> ls
bin Documents Music Public Templates
Desktop Download Pictures public_html Videos
***@os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: ***@VMWARELAB.INT

Valid starting Expires Service principal
01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/***@VMWARELAB.INT
renew until 01/05/10 13:58:36
***@os112:~>


this linux machine in on my AD domain and i have a valid krb ticket.

im trying to use ssh to connect to this server, but i want to use my
krb ticket, not type password.

i have enabled gss api options in my sshd.config.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


restarted opensshd but it doesnt work:

***@os112:~> ssh -vvv ***@os112.vmwarelab.int
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.
debug1: Connection established.
debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1
debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 513/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.
debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3
debug2: bits set: 512/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))
debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa
debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
Received disconnect from 192.168.86.14: 2: Too many authentication
failures for mmezzanotti


bellow the lines about gssapi auth:

debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method

anyone could help me?

another question, i downloaded a lot of patched putty clients with
gssapi support (to use on windows machines), what is the correct one?

thank you,
Marcello
--
Marcello Mezzanotti <***@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Marcello Mezzanotti
2010-01-04 17:18:18 UTC
Permalink
Hans,

Thaks for your help, my sshd_config options match yours, sshd_config
doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.

I continue to receive the "we sent a gssapi-with-mic packet, wait for
reply" DEBUG message and the ssh tries password auth.

i saw something related to krb5.keytab, do you know something about this file?

thank you,
marcello
Hi Marcello,
A while ago I created the same construction that you want: ssh to a Linux
machine and login automatically with Kerberos. My KDC also is a Windows 2003
box with UNIX Services installed. It's been a while, and I don't remember a
lot of details. I remember it did take quit a bit of work though :)
In the logs you sent, I can't really find anything, but it "feels" like an
incomplete SSH daemon configuration.
PasswordAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
I hope this will help you a bit. If not, please post the configuration of
both the ssh-server and the ssh-client and I'll have a closer look.
Kind regards,
Hans
--
Marcello Mezzanotti <***@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Marcello Mezzanotti
2010-01-04 18:17:33 UTC
Permalink
I just did :)

the problem was the keytab, i created using linux command "net ads
keytab create",

i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.

Is "Kerberos for Windows" necessary for Windows/Putty?

Thank you all for help.

Thank you,
Marcello
--
Marcello Mezzanotti <***@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Bob Rasmussen
2010-01-04 23:18:55 UTC
Permalink
I am attempting the same thing myself, almost. Please provide as many
details as you can.

My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
to use Windows PuTTY to log in to a Linux box that is running OpenSSH.

I also am running WireShark (formerly Ethereal) to monitor the network, so
I can see Kerberos transactions - those that work and those that fail.

The PuTTY I am trying is, I think, an unreleased version from the official
website. It has calls to GSSAPI.

At this point I get messages about an illegal flag being set. I see these
in WireShark.

I'd appreciate any help.
Post by Marcello Mezzanotti
I just did :)
the problem was the keytab, i created using linux command "net ads
keytab create",
i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.
Is "Kerberos for Windows" necessary for Windows/Putty?
Thank you all for help.
Thank you,
Marcello
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ***@anzio.com
company e-mail: ***@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA
Bob Rasmussen
2010-01-06 14:30:55 UTC
Permalink
Bob,
What exactly you want to know? :)
1) What version(s) of PuTTY work in your environment? Did you try the
developer's build from the official PuTTY site?

2) Did you have to create a keytab file on the AD server, and transfer it
to the SSH server? How exactly did you do this?

3) Did you find online documents that were especially helpful? What were
they?

Thanks.
Post by Bob Rasmussen
I am attempting the same thing myself, almost. Please provide as many
details as you can.
My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
to use Windows PuTTY to log in to a Linux box that is running OpenSSH.
I also am running WireShark (formerly Ethereal) to monitor the network, so
I can see Kerberos transactions - those that work and those that fail.
The PuTTY I am trying is, I think, an unreleased version from the official
website. It has calls to GSSAPI.
At this point I get messages about an illegal flag being set. I see these
in WireShark.
I'd appreciate any help.
Post by Marcello Mezzanotti
I just did :)
the problem was the keytab, i created using linux command "net ads
keytab create",
i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.
Is "Kerberos for Windows" necessary for Windows/Putty?
Thank you all for help.
Thank you,
Marcello
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.
         voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
           fax: (US) 503-624-0760
           web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                10240 SW Nimbus, Suite L9
                Portland, OR  97223  USA
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ***@anzio.com
company e-mail: ***@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA
Marcello Mezzanotti
2010-01-06 13:05:22 UTC
Permalink
Bob,

What exactly you want to know? :)
Post by Bob Rasmussen
I am attempting the same thing myself, almost. Please provide as many
details as you can.
My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
to use Windows PuTTY to log in to a Linux box that is running OpenSSH.
I also am running WireShark (formerly Ethereal) to monitor the network, so
I can see Kerberos transactions - those that work and those that fail.
The PuTTY I am trying is, I think, an unreleased version from the official
website. It has calls to GSSAPI.
At this point I get messages about an illegal flag being set. I see these
in WireShark.
I'd appreciate any help.
Post by Marcello Mezzanotti
I just did :)
the problem was the keytab, i created using linux command "net ads
keytab create",
i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.
Is "Kerberos for Windows" necessary for Windows/Putty?
Thank you all for help.
Thank you,
Marcello
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.
         voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
           fax: (US) 503-624-0760
           web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                10240 SW Nimbus, Suite L9
                Portland, OR  97223  USA
--
Marcello Mezzanotti <***@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Marcello Mezzanotti
2010-01-06 18:27:04 UTC
Permalink
Bob,
Post by Bob Rasmussen
Bob,
What exactly you want to know? :)
1) What version(s) of PuTTY work in your environment? Did you try the
developer's build from the official PuTTY site?
http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip

i tested another clients that worked too, but this is the only one
that i got tickets (klist on linux). i didnt have time to test other
krb5.conf options.
Post by Bob Rasmussen
2) Did you have to create a keytab file on the AD server, and transfer it
to the SSH server? How exactly did you do this?
i created the keytab file directly on linux, using net command.
after the linux joined th AD (net ads join) i typed "net ads keytab
create" and voi-la
Post by Bob Rasmussen
3) Did you find online documents that were especially helpful? What were
they?
no one especially, i find documents for specific functions like:

- join linux on windows domains (winbind, kerberos and ldap)
- smartcard linux logon (opensc, pam_pkcs11) - not related

i did a mix of solutions:

- basically i have my users on AD (w2k3 r2 server with Management for Unix)
- configured winbind to join windows domains
- configured ldap to nsswitch.conf and pam
- configured krb5 to pam

and then configured ssh+krb5 to SSO (the putty stuff)
--
Marcello Mezzanotti <***@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Jackson
2010-01-28 14:52:15 UTC
Permalink
Hello there,
Quest provides a PUTTY version with GSSAPI enabled:
http://rc.quest.com/topics/putty/
It works fine.

Regards,

Jackson
Assunto: Re: openssh + kerberos + windows ad
Data: Quarta-feira, 6 de Janeiro de 2010, 6:30
On Wed, 6 Jan 2010, Marcello
Bob,
What exactly you want to know? :)
1) What version(s) of PuTTY work in your environment? Did
you try the
developer's build from the official PuTTY site?
2) Did you have to create a keytab file on the AD server,
and transfer it
to the SSH server? How exactly did you do this?
3) Did you find online documents that were especially
helpful? What were
they?
Thanks.
Post by Bob Rasmussen
I am attempting the same thing myself, almost.
Please provide as many
Post by Bob Rasmussen
details as you can.
My AD server is a 2008 Server box, my client is a
Windows 2000 box, trying
Post by Bob Rasmussen
to use Windows PuTTY to log in to a Linux box
that is running OpenSSH.
Post by Bob Rasmussen
I also am running WireShark (formerly Ethereal)
to monitor the network, so
Post by Bob Rasmussen
I can see Kerberos transactions - those that work
and those that fail.
Post by Bob Rasmussen
The PuTTY I am trying is, I think, an unreleased
version from the official
Post by Bob Rasmussen
website. It has calls to GSSAPI.
At this point I get messages about an illegal
flag being set. I see these
Post by Bob Rasmussen
in WireShark.
I'd appreciate any help.
Post by Marcello Mezzanotti
I just did :)
the problem was the keytab, i created using
linux command "net ads
Post by Bob Rasmussen
Post by Marcello Mezzanotti
keytab create",
i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with
another patched putty
Post by Bob Rasmussen
Post by Marcello Mezzanotti
client, worked, but it didnt created/forwared
my ticket) and all
Post by Bob Rasmussen
Post by Marcello Mezzanotti
worked fine.
Is "Kerberos for Windows" necessary for
Windows/Putty?
Post by Bob Rasmussen
Post by Marcello Mezzanotti
Thank you all for help.
Thank you,
Marcello
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob Rasmussen,   President,   Rasmussen
Software, Inc.
Post by Bob Rasmussen
         voice: (US) 503-624-0360 (9:00-6:00
Pacific Time)
Post by Bob Rasmussen
           fax: (US) 503-624-0760
           web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                10240 SW Nimbus, Suite
L9
Post by Bob Rasmussen
                Portland, OR  97223
 USA
--
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Regards,
....Bob
Rasmussen,   President,   Rasmussen
Software, Inc.
          voice: (US) 503-624-0360
(9:00-6:00 Pacific Time)
            fax: (US)
503-624-0760
            web: http://www.anzio.com
street address: Rasmussen Software, Inc.
             
   10240 SW Nimbus, Suite L9
             
   Portland, OR  97223  USA
____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

Loading...