Windows SSH client that uses tickets not obtained from AD login

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows SSH client that uses tickets not obtained from AD login

jay alvarez-2
Hi,
 Do you know any windows ssh client that can use
gssapi authentication and not using SSPI(used by
vintela and CSS putty versions)wherein it uses tickets
that were obtained from an Active Directory login? I
have downloaded KFW from MIT and I have successfully
obtain tickets using Leash. I tried to use vintela's
putty but I don't know how to tell it where Leash put
my tickets. The vintela docs says it will use the
tickets obtained upon an Active Directory login. In
our case, we don't use AD service. BTW, just curious,
KFW says it places the tickets obtained from KDC
inside the memory of the computer, I remembered my
tickets when using kinit places it in /tmp of my unix
box. Is there a security issue here regarding the use
of /tmp as a storage of tickets against placing it in
the memory?

Thanks.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login

Jeffrey Altman-3
Kermit 95 <http://www.kermit-project.org/k95.html> provides
support for SSH with GSS and it derives its tickets from KFW.
The version distributed by Columbia University is old and
not quite up to date but it works.



jay alvarez wrote:

> Hi,
>  Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service. BTW, just curious,
> KFW says it places the tickets obtained from KDC
> inside the memory of the computer, I remembered my
> tickets when using kinit places it in /tmp of my unix
> box. Is there a security issue here regarding the use
> of /tmp as a storage of tickets against placing it in
> the memory?
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com 
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login(opensource/free)

jay alvarez-2
Hi Jeff,
  I've already been to that site as most of my google
searches points me to it, but my problem is that the
place I work in is a government institution which
benifits mostly from tools that are opensource and
free. Is there a freeware version of kermit?:)
 

--- Jeffrey Altman <[hidden email]> wrote:

> Kermit 95 <http://www.kermit-project.org/k95.html>
> provides
> support for SSH with GSS and it derives its tickets
> from KFW.
> The version distributed by Columbia University is
> old and
> not quite up to date but it works.
>
>
>
> jay alvarez wrote:
> > Hi,
> >  Do you know any windows ssh client that can use
> > gssapi authentication and not using SSPI(used by
> > vintela and CSS putty versions)wherein it uses
> tickets
> > that were obtained from an Active Directory login?
> I
> > have downloaded KFW from MIT and I have
> successfully
> > obtain tickets using Leash. I tried to use
> vintela's
> > putty but I don't know how to tell it where Leash
> put
> > my tickets. The vintela docs says it will use the
> > tickets obtained upon an Active Directory login.
> In
> > our case, we don't use AD service. BTW, just
> curious,
> > KFW says it places the tickets obtained from KDC
> > inside the memory of the computer, I remembered my
> > tickets when using kinit places it in /tmp of my
> unix
> > box. Is there a security issue here regarding the
> use
> > of /tmp as a storage of tickets against placing it
> in
> > the memory?
> >
> > Thanks.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com 
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



               
____________________________________________________
Sell on Yahoo! Auctions – no fees. Bid on great items.  
http://auctions.yahoo.com/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login(opensource/free)

Vadim-8
Hallo,

another option would be to use ssh under cygwin - what actually I do.
You only have to compile ssh yourself with either Heimdal, or with MIT
Kerberos. You can obtain TGT using either kinit, or copy TGT from LSA to
an ording credentials cache using ms2mit program from KfW.

Regards, vadim tarassov.

On Mon, 2005-07-11 at 21:59 -0700, jay alvarez wrote:

> Hi Jeff,
>   I've already been to that site as most of my google
> searches points me to it, but my problem is that the
> place I work in is a government institution which
> benifits mostly from tools that are opensource and
> free. Is there a freeware version of kermit?:)
>  
>
> --- Jeffrey Altman <[hidden email]> wrote:
>
> > Kermit 95 <http://www.kermit-project.org/k95.html>
> > provides
> > support for SSH with GSS and it derives its tickets
> > from KFW.
> > The version distributed by Columbia University is
> > old and
> > not quite up to date but it works.
> >
> >
> >
> > jay alvarez wrote:
> > > Hi,
> > >  Do you know any windows ssh client that can use
> > > gssapi authentication and not using SSPI(used by
> > > vintela and CSS putty versions)wherein it uses
> > tickets
> > > that were obtained from an Active Directory login?
> > I
> > > have downloaded KFW from MIT and I have
> > successfully
> > > obtain tickets using Leash. I tried to use
> > vintela's
> > > putty but I don't know how to tell it where Leash
> > put
> > > my tickets. The vintela docs says it will use the
> > > tickets obtained upon an Active Directory login.
> > In
> > > our case, we don't use AD service. BTW, just
> > curious,
> > > KFW says it places the tickets obtained from KDC
> > > inside the memory of the computer, I remembered my
> > > tickets when using kinit places it in /tmp of my
> > unix
> > > box. Is there a security issue here regarding the
> > use
> > > of /tmp as a storage of tickets against placing it
> > in
> > > the memory?
> > >
> > > Thanks.
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com 
> > > ________________________________________________
> > > Kerberos mailing list           [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> > --
> > -----------------
> > This e-mail account is not read on a regular basis.
> > Please send private responses to jaltman at mit dot
> > edu
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
>
> ____________________________________________________
> Sell on Yahoo! Auctions – no fees. Bid on great items.  
> http://auctions.yahoo.com/
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
vadim <[hidden email]>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login

Christopher D. Clausen
In reply to this post by jay alvarez-2
jay alvarez <[hidden email]> wrote:

> Hi,
>  Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service.

The version of putty at: http://www.sweb.cz/v_t_m/ works with tickets
obtained by MIT KfW.  However, it only works with gssapi-with-mic, so
you need to have OpenSSH 3.8 or higher on the server side.  I have been
using it for over a year without too many problems.  It works quite well
and the author even updated the source patch and the binary the two
times I've asked when security fixes were released for putty.

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login

Simon Wilkinson
In reply to this post by jay alvarez-2
jay alvarez wrote:
> Hi,
>  Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)

There's a version of the CSS putty modifications which can use MIT
Kerberos for Windows. Download their Putty Installer, install it, and
then change the dll which it uses for Kerberos support by renaming
C:\Program Files\PuTTY\plugin_mitgss.dll as
C:\Program Files\PuTTY\plugingss.dll

In my experience, there's a problem with newer versions of the code not
working with MIT Kerberos, but version 0-55b1 works fine.

Cheers,

Simon.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows SSH client that uses tickets not obtained from AD login

Douglas E. Engert
In reply to this post by jay alvarez-2
SecureCRT 4.x can use either the SSPI or the KfW gssapi.
  http://www.vandyke.com/products/securecrt/

There are mods to PuTTY that can use either SSPI and KfW.
   http://www.sweb.cz/v_t_m/#putty
  Hopefully the PuTTY people will pick these up.

We use both of these at our site.

jay alvarez wrote:

> Hi,
>  Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service. BTW, just curious,
> KFW says it places the tickets obtained from KDC
> inside the memory of the computer, I remembered my
> tickets when using kinit places it in /tmp of my unix
> box. Is there a security issue here regarding the use
> of /tmp as a storage of tickets against placing it in
> the memory?
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com 
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos