Interesting problem with OpenSSH v3.9p1, MIT Kerberos authenticating against Active Directory

From: Sam Evans (wintrmte_at_gmail.com)
Date: 02/10/05

• Next message: Dimitri Maziuk: "Re: evaluate the best SSH client (was: Print in PuTTy)"
• Previous message: Richard E. Silverman: "Re: SFTP and SCP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 10 Feb 2005 10:52:26 -0700

All:

I seem to have run into a road block getting my Linux machines to
authenticate against AD when coming in through OpenSSH.

First, let me start off my listing what my environmnet is:

Test Client:
* RHEL Linux
* MIT Kerboros v1.4
* OpenSSH v3.9p1 - Compiled using the following line:
./configure --with-tcp-wrappers --with-pam
--with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr
--sysconfdir=/etc/ssh

Active Directory:
* Windows 2003

Scenario 1:

If I use my local account and password, I can get into the machine OK.
I know that OpenSSH is functioning properly. At this point, if I do a
'kinit' I can successfully authenticate myself against AD and obtain my
Keberos5 ticket.

Scenario 2:

If I change my account information to require that authentication take
place using Kerberos, then I get the following error from the ssh daemon:

debug1: Kerberos password authentication failed: ASN.1 encoding ended
unexpectedly

-- What I have been able to determine at this point is that if I remove
my userid from the multitude of groups that it belongs to in AD, then I
*can* successfully authenticate myself when I come in through OpenSSH,
using Kerberos.

-- If I place myself back into the same groups, I cannot authenticate
myself and get the above error.

In doing some reading, it appears as if I need to force TCP usage in the
MIT Kerberos, which I have done. Everything still works when I do
'kinit' but nothing has changed in regards to OpenSSH authentication
ability.

Anyone have any thoughts or suggestions?

Thanks,
Sam

---

• Next message: Dimitri Maziuk: "Re: evaluate the best SSH client (was: Print in PuTTy)"
• Previous message: Richard E. Silverman: "Re: SFTP and SCP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Mixing Public Key and Password authentication ... what I would like to do is only provide shell access to users ... > who authenticate via Public Key. ... > Is something like that possible with OpenSSH? ... Good judgement comes with experience. ... (comp.security.ssh) OpenSSH v3.9p1 and Kerberos5 against Ad ... What is strange is that when I log onto the ... Linux box and then use the kinit program, I can authenticate just fine ... I am using MIT Kebreros v1.4 and OpenSSH V3.9p1 ... (SSH) OpenSSH and nsswitch ... The system is running Debian 2.2 and I have a Debian-packaged version ... of OpenSSH 1.2.3 that properly uses the module and lets me login. ... pass the username to the module, ... seems to ignore the module and authenticate the usual way. ... (comp.security.ssh) Re: Failed none ... On Tue, 30 Nov 2004, Mikael Chambon wrote: ... > from openssh in my logs: ... port as on 03:27:37 most probably it is your client first try to authenticate ... (SSH) Re: Windows GSSAPI ssh connection via cross-realm authentication problems ... I think you misunderstand the role of Kerberos here. ... If the SSH service is in realm ... The non-Windows KDC needs to trust any user ... kdcadmin user's home directory and that one can authenticate just fine. ... (comp.protocols.kerberos)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2005-02