OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Matthias.Gerstner at nefkom.net
Thu Dec 1 04:54:50 EST 2005
>>Douglas E. Engert wrote:
> During login using a password, Kerberos should get you two tickets,
> one it the ticket granting ticket, the other is a service ticket for the local
> host. The second ticket is need to avoid an attack where a user replaces
> the network, and the KDC with ther own version then use the password
> stored in their KDC to login to the host. This attack will not
> work if the host tries to get the second ticket, as it holds the
> real key for the host in the krb5.keytab, and can detect a bogus
Ok, this part sounds okay to me. Is OpenSSH automatically trying to
receive the service ticket?
I wonder that I haven't noticed anything about this topic until now.
> I bet that with the pam_krb5 you have not set the validate option
> or some thing similiar. This option does the above check. On a peronal
> workstaion, you may be willing to live with the above attack.
> OpenSSH gets the service ticket. The man sshd_config states
> in the kerberosAuthentication sesion that you must have a servtab.
> Also if you use gssapi for authenticaiton you must have the
> krb5.keytab or servtab as well.
Thank you for this information. I've read the man pages of course but
somehow skipped that important part completely.
>>> Does the host have a host/<fqdn>@<REALM> principal in the
Just to get this right:
Lets say the OpenSSH server's fqdn is ossh.mydomain.net.
Then I have to create principal for
host/ossh.mydomain.net at MYDOMAIN.NET
on the active directory side and extracting a keytrab entry for this
principal for use in the krb5.keytab on ossh.
If I got this right now then it shouldn't be too hard to get this working.
I'll try it as soon as possible.
More information about the openssh-unix-dev