Re: Please! Kerberos ssh without password
From: Sensei (noone_at_nowhere.org)
Date: 08/30/04
- Next message: Sheldon T. Hall: "Re: Make sshd (Cygwin) bullet-proof?"
- Previous message: Richard E. Silverman: "Re: SFTP using a single use key."
- In reply to: Darren Tucker: "Re: Please! Kerberos ssh without password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Aug 2004 17:42:53 +0200
Darren Tucker wrote:
> * Are you using Debian's openssh+krb packages?
Yes. But it's not particularly important: I can happily compile any
other version of openssh. Not afs or kerberos.
> * Which Kerberos library does Gentoo use?
All the standard kerberos 1.3 libraries, plain configure/make.
> * the Kerberos support in (vanilla) 3.6x is based on the old
> (non-standard, deprecated) kerberos-2@ssh.com protocol. The Kerberos
> support in 3.9 is based on GSSAPI. The two are not compatible.
We use openssh 3.9 --- or, I'd like to.
> * if the 3.6 version has Simon Wilkinson's GSSAPI patches, that is
> probably the old draft standard "gssapi" authentication. 3.9 uses the
> current draft standard "gssapi-with-mic". Those are not compatible
> either. Simon published a patch against 3.8x to allow interop, (but I
> don't know if that would apply to 3.9):
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763
This patch won't work on 3.9 :(
> * is PAM enabled on the client? If you log on to the client via OpenSSH
> 3.9 before logging in to the server and authenticate via PAM then you must
> use password authentication and not challenge-response, otherwise you
> won't get your credential cache created (check klist).
It's a clustering problem: it's mandatory to avoid keyboard
interactivity. So people from outside will authenticate over the server
and then go on any other machine without passwords. This is our aim.
> * for 3.9, if you want PAM to be able to pick up Kerberos creds supplied
> via gssapi-with-mic then you'll need a patch:
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=109269695412939
I'll try this patch as soon as possible.
> * for a 3.9 server, if you're using Heimdal as your Kerberos library
> then you can enable KerberosGetAFSToken in sshd_config. MIT Kerberos
> doesn't have equivalent functionality for getting an AFS PAG (there was
> some talk about adding it as a separate library but AFAIK that hasn't
> happened yet).
Unfortunately, I use MIT KerberosV.
> You tried those on which machine in which combination? And what does
> "does not work" mean? Couldn't authenticate? Fell back to password
> authentication? Authenticated but couldn't get AFS token?
Both.
> Here's what I suggest:
> 1) Make sure both client and server support a common Kerberos auth method
> and enable it on both.
Using the same ssh version if I got it. This is another issue. Here's an
excerpt of the output of configure on debian stable (openssh 3.9,
--with-kerberos5 --with-pam)
checking for krb5-config... no
checking whether we are using Heimdal... no
checking for library containing dn_expand... (cached) none required
checking for gss_init_sec_context in -lgssapi... no
checking for gss_init_sec_context in -lgssapi_krb5... yes
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
configure: WARNING: Cannot find any suitable gss-api header - build may fail
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... no
checking for gssapi_krb5.h... no
checking for gssapi.h... (cached) no
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for gssapi_krb5.h... (cached) no
checking gssapi/gssapi_krb5.h usability... no
checking gssapi/gssapi_krb5.h presence... yes
configure: WARNING: gssapi/gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi/gssapi_krb5.h: check for missing
prerequisite headers?
configure: WARNING: gssapi/gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi/gssapi_krb5.h: section "Present But
Cannot Be Compiled"
configure: WARNING: gssapi/gssapi_krb5.h: proceeding with the
preprocessor's result
configure: WARNING: gssapi/gssapi_krb5.h: in the future, the compiler
will take precedence
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ##
configure: WARNING: ## ------------------------------------------ ##
checking for gssapi/gssapi_krb5.h... yes
checking gssapi_generic.h usability... no
checking gssapi_generic.h presence... no
checking for gssapi_generic.h... no
checking gssapi/gssapi_generic.h usability... yes
checking gssapi/gssapi_generic.h presence... yes
checking for gssapi/gssapi_generic.h... yes
checking for library containing k_hasafs... no
checking for library containing krb5_init_ets... none required
checking for xauth... no
checking for "/dev/ptc"... no
checking for nroff... /usr/bin/nroff
checking if the systems has expire shadow information... yes
checking for "/etc/default/login"... no
...
-- Sensei <mailto:senseiwa@tin.it> The optimist says "Tomorrow is sunday". The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)
- Next message: Sheldon T. Hall: "Re: Make sshd (Cygwin) bullet-proof?"
- Previous message: Richard E. Silverman: "Re: SFTP using a single use key."
- In reply to: Darren Tucker: "Re: Please! Kerberos ssh without password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
