Kerberos And Openssh 3.8p1 single sign-on

From: Sonny Zambrana (sonnyjz_at_isc.upenn.edu)
Date: 04/14/04


Date: Tue, 13 Apr 2004 18:49:36 -0400

Hello,

I have been trying to get openssh to work with kerberos using single sign-on
(ticket forwarding) and have been unsuccesful at it. I have been able to
successfully compile openssh-3.8.1p1 and build it against kerberos libraries.
 I am able to use a kerberized telnet and ftp daemon and authenticate and use
single sign-on on the server without any problems. I am also able to use the
openssh implementation authorizing through kerberos.

Openssh does not allow me to use single-signon (ticket forwarding). I've
looked around and have seen patches by Simon, (no patches for 3.8.p1) all
over the place. I have also seen the dev newsgroup and believe that this
version should be able to allow single sign-on using ssh2. . I was
wondering if anyone could lead me in the proper direction to a howto or tell
me what I am doing wrong.

Finally if you don't mind, please take a look at my sshd configuration:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Thank you for taking the time to read through this.



Relevant Pages

  • Kerberos in modern-day enterprise/corporate network, howto ?
    ... There is a couple of recipes on the Internet on how to set up Kerberos, ... LDAP and DNS to get an authentication realm with single sign-on. ...
    (comp.protocols.kerberos)
  • Re: Implementing a Kerberos application
    ... but a simple google search for "single sign-on kerberos" ... I am planning to use Java GSS API ... Some how I think, Windows 2000 Kerberos server ...
    (comp.protocols.kerberos)
  • Re: Kerberos And Openssh 3.8p1 single sign-on
    ... >successfully compile openssh-3.8.1p1 and build it against kerberos libraries. ... >single sign-on on the server without any problems. ... >openssh implementation authorizing through kerberos. ... Good judgement comes with experience. ...
    (comp.security.ssh)
  • Re: Kerberos And Openssh 3.8p1 single sign-on
    ... >(ticket forwarding) and have been unsuccesful at it. ... >successfully compile openssh-3.8.1p1 and build it against kerberos libraries. ... >single sign-on on the server without any problems. ... >openssh implementation authorizing through kerberos. ...
    (comp.security.ssh)
  • Re: Cannot su to root from logged in user
    ... # rhosts authentication should not be used ... # Kerberos TGT Passing only works with the AFS kaserver ... > OpenSSH obeys more of the AIX security restrictions than it did ... > Did you compile openssh yourself or use a pre-built package? ...
    (comp.security.ssh)