Re: gssapi-with-mic and a Windows AD KDC

From: "Sam Evans" <wintrmte@xxxxxxxxx>
Date: Tue, 14 Mar 2006 08:51:18 -0700

On 3/14/06, Ian Grant <ian.grant@xxxxxxxxxxxx> wrote:

Hi Sam,

Thanks.

On 14 Mar 2006, at 15:25, Sam Evans wrote:

So you can do gssapi-with-mic with a Windows 2003 KDC? What version
of OpenSSH do you use?

Yes. The windows machines in my environment are able to use a
kerberized version of Putty to log into the unix machines by accepting
the kerberos ticket issued to them by the DC.

Additionally, Unix machines are able to grab a krb5 ticket from the DC
and then SSO authentication works from machine to machine.

I am using OpenSSH 4.2p1 as well as 4.3p2.

On your KTPASS.EXE command line, add the following switch: -crypto
DES-CBC-MD5

That's what I had before, and it didn't work, so I mailed this list.
I was advised to try DES-CBC-CRC instead.

Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode,
but it may have been wrong.

In addition I'm using NFS v4 with krb5 authentication so I have a
restricted set of available enctypes: The NFS stuff needs it to be
either des-cbc-crc or des-cbc-md5 so I have to have something like
this in krb5.conf

Okay, you can also specify des-cbc-md5 in addition to what you have
there in the krb5.conf file. I think my specifying only crc in your
.conf file, kerberos will only use it and nothing else.

i.e.:

default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = des-cbc-crc des-cbc-md5

Thanks for the pointer. I'll have a look.

No problem. It took me a while to get everything working, but once it
does, it really is very nice.

Follow-Ups:
- Re: gssapi-with-mic and a Windows AD KDC
  - From: Ian Grant

References:
- gssapi-with-mic and a Windows AD KDC
  - From: Ian Grant
- Re: gssapi-with-mic and a Windows AD KDC
  - From: Ian Grant
- Re: gssapi-with-mic and a Windows AD KDC
  - From: Sam Evans

Prev by Date: Re: gssapi-with-mic and a Windows AD KDC
Next by Date: updating expired passwords following ssh login, user advisory
Previous by thread: Re: gssapi-with-mic and a Windows AD KDC
Next by thread: Re: gssapi-with-mic and a Windows AD KDC
Index(es):
- Date
- Thread

Relevant Pages

Re: OpenSSH, Telnet, Windows Authentication and double-hops
... >> ssh -L) ... JM> in seperate DOS console windows in this order: ... >> Kerberos ticket, or your password in order to acquire one. ... JM> We're focusing on the OpenSSH for Windows distribution. ...
(comp.security.ssh)
Re: OpenSSH, Telnet, Windows Authentication and double-hops
... >> ssh -L) ... JM> in seperate DOS console windows in this order: ... I'm using the 3.8 version of OpenSSH. ... >> Kerberos ticket, or your password in order to acquire one. ...
(comp.security.ssh)
Re: OpenSSH, Telnet, Windows Authentication and double-hops
... deployment on a Windows network. ... Does this mean that you are setting SSH port forwarding ... does not provide the other side with either a Kerberos ticket, ... We're focusing on the OpenSSH for Windows distribution. ...
(comp.security.ssh)
Re: Have AD authenticate from LDAP/Kerberos server
... users logon into the kerberos realm, there is a bunch of docs out on the web ... An alternative solution is to have all of your ID's mastered in a Windows AD ... Then your other machines can use the Windows DCs ... Joe Richards Microsoft MVP Windows Server Directory Services ...
(microsoft.public.windows.server.active_directory)
Re: Racoon ipsec configuration with GSSAPI/kerberos
... have one Windows 2003 server which has active directory configured... ... two linux machines are connected to that Windows machine... ... Racoon works with Kerberos through GSSAPI, ...
(comp.protocols.kerberos)