Kerberos And Openssh 3.8p1 single sign-on

From: Sonny Zambrana (sonnyjz_at_isc.upenn.edu)
Date: 04/14/04

• Next message: Darren Tucker: "Re: how to turn on scp compatibility mode ?"
• Previous message: Paul Hink: "Re: How can I share my public key?"
• Next in thread: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Reply: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Reply: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 Apr 2004 18:49:36 -0400

Hello,

I have been trying to get openssh to work with kerberos using single sign-on
(ticket forwarding) and have been unsuccesful at it. I have been able to
successfully compile openssh-3.8.1p1 and build it against kerberos libraries.
 I am able to use a kerberized telnet and ftp daemon and authenticate and use
single sign-on on the server without any problems. I am also able to use the
openssh implementation authorizing through kerberos.

Openssh does not allow me to use single-signon (ticket forwarding). I've
looked around and have seen patches by Simon, (no patches for 3.8.p1) all
over the place. I have also seen the dev newsgroup and believe that this
version should be able to allow single sign-on using ssh2. . I was
wondering if anyone could lead me in the proper direction to a howto or tell
me what I am doing wrong.

Finally if you don't mind, please take a look at my sshd configuration:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Thank you for taking the time to read through this.

• Next message: Darren Tucker: "Re: how to turn on scp compatibility mode ?"
• Previous message: Paul Hink: "Re: How can I share my public key?"
• Next in thread: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Reply: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Reply: Darren Tucker: "Re: Kerberos And Openssh 3.8p1 single sign-on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Kerberos in modern-day enterprise/corporate network, howto ? ... There is a couple of recipes on the Internet on how to set up Kerberos, ... LDAP and DNS to get an authentication realm with single sign-on. ... (comp.protocols.kerberos) Re: Implementing a Kerberos application ... but a simple google search for "single sign-on kerberos" ... I am planning to use Java GSS API ... Some how I think, Windows 2000 Kerberos server ... (comp.protocols.kerberos) Re: Kerberos And Openssh 3.8p1 single sign-on ... >successfully compile openssh-3.8.1p1 and build it against kerberos libraries. ... >single sign-on on the server without any problems. ... >openssh implementation authorizing through kerberos. ... Good judgement comes with experience. ... (comp.security.ssh) Re: Kerberos And Openssh 3.8p1 single sign-on ... >(ticket forwarding) and have been unsuccesful at it. ... >successfully compile openssh-3.8.1p1 and build it against kerberos libraries. ... >single sign-on on the server without any problems. ... >openssh implementation authorizing through kerberos. ... (comp.security.ssh) Re: Cannot su to root from logged in user ... # rhosts authentication should not be used ... # Kerberos TGT Passing only works with the AFS kaserver ... > OpenSSH obeys more of the AIX security restrictions than it did ... > Did you compile openssh yourself or use a pre-built package? ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint