kerberos auth for ssh2

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos auth for ssh2

Kevin J Kalupson
Hello,
I have a few of kerberos questions. Currently, users can log in to a
particular server via ssh and using their kerberos password.

1)My main goal is to implement kerberos authentication for ssh via
gssapi-with-mic.  I have found a lot web sites where people claim to
have it working, but I have not experienced success yet.
To your knowledge, should this method now work with up to date
installations of openssh and kerberos and using ssh2?

2)I am using PAM auth modules.  Currently, users can log in using their
kerberos password.  If I am using PAM, do I need "extra" configuration
so that pam will ok the user that passes a gssapi-with-mic ticket is
authenticated, or does ssh forgo PAM when configured for gssapi-with-mic
tickets as well.

3)Are there other options besides gssapi-with-mic for ssh2 login with a
kerberos based ticket?

4)Does the kdc have to have special knowledge of the server that is
requesting authentication for a user via a forwarded ticket or does the
server making the request for this sort of auth simply just need to know
how to ask?

Thank you,
I appreciate any help.
--

Kevin J Kalupson  * Programmer/Analyst
                  * Information Techhnology Services
                  * Teaching and Learning with Technology
                  * Pennsylvania State University
                  * 814-863-4590



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Simon Wilkinson
Kevin J Kalupson wrote:
> 1)My main goal is to implement kerberos authentication for ssh via
> gssapi-with-mic.  I have found a lot web sites where people claim to
> have it working, but I have not experienced success yet.
> To your knowledge, should this method now work with up to date
> installations of openssh and kerberos and using ssh2?

gssapi-with-mic has been supported in OpenSSH since November 2003. It
definitely works with an up to date installation. In the vanilla OpenSSH
release, it is disabled by default. You will need 'GssapiAuthentication
yes' in both client and server configuration files, and
'GssapiDelegateCredentials yes' on the client.

> 2)I am using PAM auth modules.  Currently, users can log in using their
> kerberos password.  If I am using PAM, do I need "extra" configuration
> so that pam will ok the user that passes a gssapi-with-mic ticket is
> authenticated, or does ssh forgo PAM when configured for gssapi-with-mic
> tickets as well.

You shouldn't need 'extra' configuration. When a user authentications
through gssapi-with-mic, the PAM account and session stacks will be run.
This allows authorization checks, and the acquiry of additional credentials.

> 3)Are there other options besides gssapi-with-mic for ssh2 login with a
> kerberos based ticket?

Clients and servers produced by ssh.com support an authentication
mechanism called '[hidden email]'. This isn't widely used.

> 4)Does the kdc have to have special knowledge of the server that is
> requesting authentication for a user via a forwarded ticket or does the
> server making the request for this sort of auth simply just need to know
> how to ask?

The host/ server principal and the user's principal both need to have
the allow_forwardable flag set. The user's credentials need to have been
obtained as forwardable credentials (for example, through kinit -f). You
need to have credential forwarding turned on by having
'GSSAPIDelegateCredentials yes' in your ssh client's configuration file.

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Matt Crawford
On Aug 1, 2005, at 2:42, Simon Wilkinson wrote:
>> 4)Does the kdc have to have special knowledge of the server that is
>> requesting authentication for a user via a forwarded ticket or  
>> does the
>> server making the request for this sort of auth simply just need  
>> to know
>> how to ask?
>
> The host/ server principal and the user's principal both need to have
> the allow_forwardable flag set. [...]

Could you explain to me this bit about the server principal needing  
to have allow_forwardable?

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Simon Wilkinson
Matt Crawford wrote:
> On Aug 1, 2005, at 2:42, Simon Wilkinson wrote:
>> The host/ server principal and the user's principal both need to have
>> the allow_forwardable flag set. [...]
>  
> Could you explain to me this bit about the server principal needing  to
> have allow_forwardable?

Sorry - typing too late at night. Scratch the bit about the server
principal, but I believe the rest of what I typed still stands.

S.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Roland C. Dowdeswell
In reply to this post by Simon Wilkinson
On 1122882155 seconds since the Beginning of the UNIX epoch
Simon Wilkinson wrote:
>

>You shouldn't need 'extra' configuration. When a user authentications
>through gssapi-with-mic, the PAM account and session stacks will be run.
>This allows authorization checks, and the acquiry of additional credentials.

When authenticating with gssapi-with-mic, pam_setcred() is also
run from the auth stack but obviously pam_authenticate() is not
run.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Kevin Kalupson
In reply to this post by Simon Wilkinson
I appreciate the response.  My config files do indead match up with what
you not as required.
after 'kinit -f username' and an attempt to 'ssh [hidden email]' I
recieve this debug info
-----------------------------snip------------------------------------
debug1: match: OpenSSH_3.8.1p1   pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string OpenSSH_3.8.1p1
debug3: Trying to reverse map address .
debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
-----------------------------snip------------------------------------

This is what makes me think that the kdc somehow needs to know something
about the server I am trying to connect with.


Simon Wilkinson wrote:

>Kevin J Kalupson wrote:
>  
>
>>1)My main goal is to implement kerberos authentication for ssh via
>>gssapi-with-mic.  I have found a lot web sites where people claim to
>>have it working, but I have not experienced success yet.
>>To your knowledge, should this method now work with up to date
>>installations of openssh and kerberos and using ssh2?
>>    
>>
>
>gssapi-with-mic has been supported in OpenSSH since November 2003. It
>definitely works with an up to date installation. In the vanilla OpenSSH
>release, it is disabled by default. You will need 'GssapiAuthentication
>yes' in both client and server configuration files, and
>'GssapiDelegateCredentials yes' on the client.
>
>  
>
>>2)I am using PAM auth modules.  Currently, users can log in using their
>>kerberos password.  If I am using PAM, do I need "extra" configuration
>>so that pam will ok the user that passes a gssapi-with-mic ticket is
>>authenticated, or does ssh forgo PAM when configured for gssapi-with-mic
>>tickets as well.
>>    
>>
>
>You shouldn't need 'extra' configuration. When a user authentications
>through gssapi-with-mic, the PAM account and session stacks will be run.
>This allows authorization checks, and the acquiry of additional credentials.
>
>  
>
>>3)Are there other options besides gssapi-with-mic for ssh2 login with a
>>kerberos based ticket?
>>    
>>
>
>Clients and servers produced by ssh.com support an authentication
>mechanism called '[hidden email]'. This isn't widely used.
>
>  
>
>>4)Does the kdc have to have special knowledge of the server that is
>>requesting authentication for a user via a forwarded ticket or does the
>>server making the request for this sort of auth simply just need to know
>>how to ask?
>>    
>>
>
>The host/ server principal and the user's principal both need to have
>the allow_forwardable flag set. The user's credentials need to have been
>obtained as forwardable credentials (for example, through kinit -f). You
>need to have credential forwarding turned on by having
>'GSSAPIDelegateCredentials yes' in your ssh client's configuration file.
>
>Cheers,
>
>Simon.
>
>  
>

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: kerberos auth for ssh2

Simon Wilkinson
Kevin Kalupson wrote:
> I recieve this debug info

> debug1: Miscellaneous failure
> Server not found in Kerberos database

The server needs to have a host key. You need to have a principal of the
form host/<hostname>, where <hostname> is the fully qualified domain
name of the server, in the default keytab (usually /etc/krb5.keytab).
See the documentation that comes with MIT Kerberos for details of how to
create this key, and store it in a keytab.

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev