Re: GSSAPI/Kerberos functionality in OpenSSH



Jimmy,

I have done this and did not have to use any special patches. You
will need to get a version of OpenSSH that supports Keberos 5 and
GSSAPI (the latest ones do).

I would also recommend going through Microsoft Identity management
articles on their website. The main one is here:

http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx

If you drill down a little deeper through the article, you will find
complete step by step instructions on how to export the keytab from
the DC to the *nix machines and more.

http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3Intran_4.mspx

It is an excellent article and should answer most of your questions.
If not, feel free to email me.

-Sam

On 2/3/06, Jimmy Stewpot <squid@xxxxxxxxxx> wrote:
Hello,

I have been investigating a method in which I can setup key based
authentication using kerberos to a Microsoft Active directory setup. The
requirement is so that we can leverage existing infrastructure to
centralise everything.

The patches I have been looking at are as follows..

http://www.sxw.org.uk/computing/patches/openssh.html

The problem that I have is I am unable to find any documentation as to
how the key is stored in the LDAP? Does anyone know of any additional
documentation or any how-tos for that type of setup?

Also are there any caveats that I could potentially need to know about?

Regards,

Jimmy.