Need help with GSSAPI authentication

Simon Gales simongales at simonandchristy.com
Wed May 11 22:01:35 EST 2005 

David - I think you're correct - the ssh/fqdn at realm principal probably isn't
needed.  I added it in a fit of desperation a couple of nights ago, but that
wasn't what fixed the authentication.

After more experimentation last night, I found that:
+ Putty (with patches) can authenticate but doesn't forward the tickets.
+ SecureCRT can authenticate but doesn't forward the tickets.
+ OpenSSH works fine, using kinit to get my tickets initially.

So now I'm trying to find OpenSSH built for CygWin that has Kerberos V
(1.4.1) support compiled in.

I've also begun trying to build it myself, but I've never built anything
under CygWin before, and it's slow going.  Still trying to resolve errors
from missing include files (arpa/nameser.h, resolv.h).


-S
-----Original Message-----
From: openssh-unix-dev-bounces+sgales=simonandchristy.com at mindrot.org
[mailto:openssh-unix-dev-bounces+sgales=simonandchristy.com at mindrot.org] On
Behalf Of Sergio Gelato
Sent: Wednesday, May 11, 2005 4:14 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: Need help with GSSAPI authentication

* Simon Gales [2005-05-10 20:38:05 -0500]:
> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. 
> I've also got MIT Kerberos for Windows installed on the client, and 
> Leash shows that my tickets ARE forwardable.
> 
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and 
> OpenSSH 4.0p1.
> 
> I've created two AD accounts, and extracted keys mapped to 
> "host/hostname.domainname.com at REALM.COM" and 
> "ssh/hostname.domainname.com at REALM.COM" and installed them into 
> /etc/krb5.keytab.
> 
> I can login to the server just fine - GSSAPI-with-mic authentication 
> works fine.  But when I "klist" after logging in, I have no tickets.
> 
> So... is this supposed to work?  Should my tickets get forwarded?  If 
> not, is there a patch that would make this work?

That's a SecureCRT question. If you were using the OpenSSH client, you would
have to set the GSSAPIDelegateCredentials option (it's off by
default) in order for your TGT to be forwarded. I have no idea what the
corresponding option for SecureCRT is called.

> Any help would be appreciated...  I can provide server-side debug 
> traces if it'll help, but I really just need to know if tgt-forwarding 
> is supposed to work in OpenSSH 4.0...

It works for me.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list