OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Matthias Gerstner Matthias.Gerstner at nefkom.net
Thu Dec 1 04:54:50 EST 2005


>>Douglas E. Engert wrote:

> During login using a password, Kerberos should get you two tickets,
> one it the ticket granting ticket, the other is a service ticket for the local
> host. The second ticket is need to avoid an attack where a user replaces
> the network, and the KDC with ther own version then use the password
> stored in their KDC to login to the host. This attack will not
> work if the host tries to get the second ticket, as it holds the
> real key for the host in the krb5.keytab, and can detect a bogus
> KDC.

Ok, this part sounds okay to me. Is OpenSSH automatically trying to
receive the service ticket?
I wonder that I haven't noticed anything about this topic until now.

> I bet that with the pam_krb5 you have not set the validate option
> or some thing similiar. This option does the above check. On a peronal
> workstaion, you may be willing to live with the above attack.
> 
> OpenSSH gets the  service ticket. The man sshd_config states
> in the kerberosAuthentication sesion that you must have a servtab.
> 
> Also if you use gssapi for authenticaiton you must have the
> krb5.keytab or servtab as well.

Thank you for this information. I've read the man pages of course but
somehow skipped that important part completely.

>>> Does the host have a host/<fqdn>@<REALM> principal in the
>>> krb5.keytab?

Just to get this right:

Lets say the OpenSSH server's fqdn is ossh.mydomain.net.

Then I have to create principal for

host/ossh.mydomain.net at MYDOMAIN.NET

on the active directory side and extracting a keytrab entry for this
principal for use in the krb5.keytab on ossh.

If I got this right now then it shouldn't be too hard to get this working.

I'll try it as soon as possible.

Best regards,

Matthias Gerstner




More information about the openssh-unix-dev mailing list