Re: Backk to the single sign-on problem with Active Directory and RHEL 5


On Feb 15, 6:34 pm, "Richard E. Silverman" <r...@xxxxxxxx> wrote:
[ previous post excluded ]

Hi Nico,

There are two places where SSH may be kerberized: server and client
authentication.  Vanilla OpenSSH supports only the latter.  There is a
patch for adding the former:

http://www.sxw.org.uk/computing/patches/openssh.html

Some distros add this support to their OpenSSH builds, e.g. Debian.  I
don't know about RHEL.

It's clearly not in RHEL 5's SRPM's.

On the server side, do this to see that the necessary host keys are in
place:

sequoia:~# klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/sequoia.oankali....@xxxxxxxxxxx (Triple DES cbc mode with HMAC/sha1)
   4 host/sequoia.oankali....@xxxxxxxxxxx (DES cbc mode with CRC-32)
   4 host/sequoia.oankali....@xxxxxxxxxxx (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 host/sequoia.oankali....@xxxxxxxxxxx (ArcFour with HMAC/md5)

Right. This looks good. Should I be using the Winbind authentication
and user management for this? Or just the Kerberos user
authentication, as managed by the RHEL tools "authconfig-tui"? The /

I'm not familiar with those; when joining a Unix machine to an AD realm,
I've always just used ktpass.exe to extract a keytab.

etc/krb5.conf from RHEL has a bunch of settings for "EXAMPLE.COM",
even after running the configuration tool. I think those can and
should be removed.

Sure.

sshd expects its service principal to be the standard "host" principal,
"host/<fqdn>@REALM" (this is not configurable); this shows four keys
present for that principal, of various types.  In your case, there will
probably be just one DES key.



In Quest PuTTY, there are a few options bearing on Kerberos:

* Connection / SSH / Kex: "Enable GSSAPI algorithms"

  This turns on kerberized key exchange (server authentication).

* Connection / SSH / GSSAPI

  - Attempt GSSAPI auth (SSH-2)

    o try kerberized userauth

  - Server determines username from credentials

    o not sure what this does

I think this pulls your credentials from your Windows domain login,
which is quite commonly available for an Active Directory registered
Windows host. This is actually consistent with what I want. There's
some potential for conflict there, because Windows seems to list the
keys as "DOMAIN\username", and your smb.conf needs to be set correctly
to allow you to use the more sensible "username" or "DOMAIN_username"
formats.

  - Delegate credentials

    o Forward TGT across connection.  In your setup, this will only work
      if you've marked the server as safe for delegation in AD.

Cool. In the current environment, I'd be happy to forward my
authentication through the connection, to ease other Kerberized
services from my active logins on the Linux box.


  - Trust DNS

    o Use the DNS to canonicalize the hostname when constructing the
      service principal name.  This is convenient since you can then use
      short hostnames in PuTTY, but it is less secure.

  - Service principal name (Kerberos)

    o Specify the server principal name manually, in case automatic
      determination is not working for some reason.

For debugging, I find it easier to use plink -v rather than the PuTTY GUI.

Another useful tool is klist.exe, a Microsoft utility that allows you to
view the SSPI ticket cache, and delete tickets.

Do you know of where a working version is for Windows XP? I'm seeing
lots of references to Windows 2003 versions of the tool.

--
Richard Silverman
res@xxxxxxxx

.

Relevant Pages

  • Re: Ive got Winbind working, now I want single-sign-on
    ...     NKG> notes tend to leave out little details, ...     NKG> But I'd really like to get it working so that the Windows users ... The "Active Directory domain users have Kerberos credentials" part, ...
    (comp.security.ssh)
  • Re: Backk to the single sign-on problem with Active Directory and RHEL 5
    ... There are two places where SSH may be kerberized: server and client ... Should I be using the Winbind authentication ... Or just the Kerberos user ...   This turns on kerberized key exchange. ...
    (comp.security.ssh)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
    ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
    (microsoft.public.inetserver.iis)