Re: OpenSSH, Telnet, Windows Authentication and double-hops


We're looking for a solution to create a secure single-signon
deployment on a Windows network. The chain of connections looks like
this:

Client: Telnets through SSH Tunnel to -->

Does this mean that you are setting SSH port forwarding (e.g. with ssh -L)
and using telnet through that (that's what "tunnel" usually means), or
that you are actually logging into Server1 via SSH? Sometimes people use
"telnet" as a generic word referring to any kind of remote login (which it
isn't). I'm assuming the latter, because otherwise your description
doesn't make sense to me.

Server1: that runs our application locally and connects to --->
Server2: that serves up the database using SQL Server

We're hitting an issue when we reach the SQL Server machine. Logging
in to SQL Server, the network has deprecated our logon down to 'NT
AUTHORITY\ANONYMOUS LOGON' . The database kicks us out.

We've learned that this is commonly refered to as the "double-hop"
issue and is well known with web development. There are mechanisms in
IIS to set up delegation and impersonation and caching etc, to get
past this.

We want to continue using public/private key authentication for the
SSH.

You will not be able to, at least not alone. SSH publickey authentication
does not provide the other side with either a Kerberos ticket, or your
password in order to acquire one. You need GSSAPI/Kerberos authentication
with ticket forwarding ("delegation").

We've tried the -A switch when starting up the SSH tunnel with
no avail.

This has to do with forwarding the OpenSSH key agent, which has nothing to
do with Kerberos tickets.

Is there anything that SSH can offer us so that we can maintain the
authentication ticket over the second hop?

You mean, maintain it over the first hop so it's available for the second.
You haven't said what SSH implementation you are using. Some provide
integration with Windows Kerberos (SSPI) and can do this for you,
e.g. Tectia from ssh.com and VShell from VanDyke. You *might* get it to
work with OpenSSH/Cygwin. I have compiled OpenSSH on Windows with
Kerberos support and had it work; however, the ccache is an MIT one and
has nothing to do with the Windows ccache. The MIT KfW system does
integrate with SSPI; however, I don't know if there's a way to hook
OpenSSH into it.

--
Richard Silverman
res@xxxxxxxx

.

Relevant Pages

  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... >> ssh -L) ... JM> in seperate DOS console windows in this order: ... I'm using the 3.8 version of OpenSSH. ... >> Kerberos ticket, or your password in order to acquire one. ...
    (comp.security.ssh)
  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... >> ssh -L) ... JM> in seperate DOS console windows in this order: ... >> Kerberos ticket, or your password in order to acquire one. ... JM> We're focusing on the OpenSSH for Windows distribution. ...
    (comp.security.ssh)
  • Re: FC6 VPN
    ... Then you can run any application you would like off the server by simply running it, or if you want to run a whole session, use gnomesession. ... ssh client that supports X forwarding, which is want you want to be looking at. ... SSH allows you to forward any local port to any remote port. ... If you need to connect to, say a windows share, you would forward your local port to the linux server through the ssh tunnel. ...
    (Fedora)
  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... deployment on a Windows network. ... Does this mean that you are setting SSH port forwarding ... does not provide the other side with either a Kerberos ticket, ... We're focusing on the OpenSSH for Windows distribution. ...
    (comp.security.ssh)
  • Port Forwarding -- Checking to be sure I understand it
    ... I am providing support for some friends and family (I'm sure everyone knows ... it should let the ssh connection through. ... He's on Windows, and I've just found OpenSSH for Windows ... is there a way to set up this forwarding ...
    (comp.security.ssh)