Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
openssh + kerberos + windows ad
marcello.mezzanotti at gmail
Jan 4, 2010, 8:13 AM
Post #1 of 8 (7309 views)
Permalink
Hi all,

Im trying to do kind of SSO, basically, i want to ssh a remote linux
machine, using openssh/putty (what version), without password prompt,
just with kerberos ticket.

I have the following scenario:

Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain
Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion
against my DC, its working fine, i can login remotely and localy with
my AD credentials and its working fine, as you can see bellow:

login as: mmezzanotti
Using keyboard-interactive authentication.
Password:
Last login: Wed Dec 30 14:00:19 2009 from localhost
Have a lot of fun...
mmezzanotti@os112:~> ls
bin Documents Music Public Templates
Desktop Download Pictures public_html Videos
mmezzanotti@os112:~> klist
Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
Default principal: mmezzanotti@VMWARELAB.INT

Valid starting Expires Service principal
01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT
renew until 01/05/10 13:58:36
mmezzanotti@os112:~>


this linux machine in on my AD domain and i have a valid krb ticket.

im trying to use ssh to connect to this server, but i want to use my
krb ticket, not type password.

i have enabled gss api options in my sshd.config.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


restarted opensshd but it doesnt work:

mmezzanotti@os112:~> ssh -vvv mmezzanotti@os112.vmwarelab.int
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22.
debug1: Connection established.
debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1
debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 513/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key.
debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3
debug2: bits set: 512/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil))
debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa
debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa
debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
Received disconnect from 192.168.86.14: 2: Too many authentication
failures for mmezzanotti


bellow the lines about gssapi auth:

debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method

anyone could help me?

another question, i downloaded a lot of patched putty clients with
gssapi support (to use on windows machines), what is the correct one?

thank you,
Marcello

--
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Re: openssh + kerberos + windows ad [ In reply to ]
marcello.mezzanotti at gmail
Jan 4, 2010, 9:18 AM
Post #2 of 8 (7165 views)
Permalink
Hans,

Thaks for your help, my sshd_config options match yours, sshd_config
doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.

I continue to receive the "we sent a gssapi-with-mic packet, wait for
reply" DEBUG message and the ssh tries password auth.

i saw something related to krb5.keytab, do you know something about this file?

thank you,
marcello



On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst <hans@woefdram.nl> wrote:
> Hi Marcello,
>
> A while ago I created the same construction that you want: ssh to a Linux
> machine and login automatically with Kerberos. My KDC also is a Windows 2003
> box with UNIX Services installed. It's been a while, and I don't remember a
> lot of details. I remember it did take quit a bit of work though :)
>
> In the logs you sent, I can't really find anything, but it "feels" like an
> incomplete SSH daemon configuration.
>
> In my sshd-config there are also these lines:
>
> PasswordAuthentication no
> KerberosAuthentication yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> On my client machine, I configured /etc/ssh/ssh_config with:
>
> GSSAPIKeyExchange yes
> GSSAPITrustDNS yes
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> I hope this will help you a bit. If not, please post the configuration of
> both the ssh-server and the ssh-client and I'll have a closer look.
>
> Kind regards,
>
> Hans
>
>


--
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Re: openssh + kerberos + windows ad [ In reply to ]
marcello.mezzanotti at gmail
Jan 4, 2010, 10:17 AM
Post #3 of 8 (7140 views)
Permalink
I just did :)

the problem was the keytab, i created using linux command "net ads
keytab create",

i tested both linux ssh client and putty
(PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
client, worked, but it didnt created/forwared my ticket) and all
worked fine.

Is "Kerberos for Windows" necessary for Windows/Putty?

Thank you all for help.

Thank you,
Marcello

--
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Re: openssh + kerberos + windows ad [ In reply to ]
ras at anzio
Jan 4, 2010, 3:18 PM
Post #4 of 8 (7137 views)
Permalink
I am attempting the same thing myself, almost. Please provide as many
details as you can.

My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
to use Windows PuTTY to log in to a Linux box that is running OpenSSH.

I also am running WireShark (formerly Ethereal) to monitor the network, so
I can see Kerberos transactions - those that work and those that fail.

The PuTTY I am trying is, I think, an unreleased version from the official
website. It has calls to GSSAPI.

At this point I get messages about an illegal flag being set. I see these
in WireShark.

I'd appreciate any help.

On Mon, 4 Jan 2010, Marcello Mezzanotti wrote:

> I just did :)
>
> the problem was the keytab, i created using linux command "net ads
> keytab create",
>
> i tested both linux ssh client and putty
> (PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
> client, worked, but it didnt created/forwared my ticket) and all
> worked fine.
>
> Is "Kerberos for Windows" necessary for Windows/Putty?
>
> Thank you all for help.
>
> Thank you,
> Marcello
>
> --
> Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
> http://blogdomarcello.wordpress.com
> Information Security
> UNIX / Linux / *BSD
>
>

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@anzio.com
company e-mail: rsi@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA
Re: openssh + kerberos + windows ad [ In reply to ]
marcello.mezzanotti at gmail
Jan 6, 2010, 5:05 AM
Post #5 of 8 (7129 views)
Permalink
Bob,

What exactly you want to know? :)



On Mon, Jan 4, 2010 at 9:18 PM, Bob Rasmussen <ras@anzio.com> wrote:
> I am attempting the same thing myself, almost. Please provide as many
> details as you can.
>
> My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
> to use Windows PuTTY to log in to a Linux box that is running OpenSSH.
>
> I also am running WireShark (formerly Ethereal) to monitor the network, so
> I can see Kerberos transactions - those that work and those that fail.
>
> The PuTTY I am trying is, I think, an unreleased version from the official
> website. It has calls to GSSAPI.
>
> At this point I get messages about an illegal flag being set. I see these
> in WireShark.
>
> I'd appreciate any help.
>
> On Mon, 4 Jan 2010, Marcello Mezzanotti wrote:
>
>> I just did :)
>>
>> the problem was the keytab, i created using linux command "net ads
>> keytab create",
>>
>> i tested both linux ssh client and putty
>> (PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
>> client, worked, but it didnt created/forwared my ticket) and all
>> worked fine.
>>
>> Is "Kerberos for Windows" necessary for Windows/Putty?
>>
>> Thank you all for help.
>>
>> Thank you,
>> Marcello
>>
>> --
>> Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
>> http://blogdomarcello.wordpress.com
>> Information Security
>> UNIX / Linux / *BSD
>>
>>
>
> Regards,
> ....Bob Rasmussen,   President,   Rasmussen Software, Inc.
>
> personal e-mail: ras@anzio.com
>  company e-mail: rsi@anzio.com
>          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
>            fax: (US) 503-624-0760
>            web: http://www.anzio.com
>  street address: Rasmussen Software, Inc.
>                 10240 SW Nimbus, Suite L9
>                 Portland, OR  97223  USA
>



--
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Re: openssh + kerberos + windows ad [ In reply to ]
ras at anzio
Jan 6, 2010, 6:30 AM
Post #6 of 8 (7135 views)
Permalink
On Wed, 6 Jan 2010, Marcello Mezzanotti wrote:

> Bob,
>
> What exactly you want to know? :)

1) What version(s) of PuTTY work in your environment? Did you try the
developer's build from the official PuTTY site?

2) Did you have to create a keytab file on the AD server, and transfer it
to the SSH server? How exactly did you do this?

3) Did you find online documents that were especially helpful? What were
they?

Thanks.

>
>
>
> On Mon, Jan 4, 2010 at 9:18 PM, Bob Rasmussen <ras@anzio.com> wrote:
> > I am attempting the same thing myself, almost. Please provide as many
> > details as you can.
> >
> > My AD server is a 2008 Server box, my client is a Windows 2000 box, trying
> > to use Windows PuTTY to log in to a Linux box that is running OpenSSH.
> >
> > I also am running WireShark (formerly Ethereal) to monitor the network, so
> > I can see Kerberos transactions - those that work and those that fail.
> >
> > The PuTTY I am trying is, I think, an unreleased version from the official
> > website. It has calls to GSSAPI.
> >
> > At this point I get messages about an illegal flag being set. I see these
> > in WireShark.
> >
> > I'd appreciate any help.
> >
> > On Mon, 4 Jan 2010, Marcello Mezzanotti wrote:
> >
> >> I just did :)
> >>
> >> the problem was the keytab, i created using linux command "net ads
> >> keytab create",
> >>
> >> i tested both linux ssh client and putty
> >> (PuTTY-0.58-GSSAPI-2005-07-24, i tested with another patched putty
> >> client, worked, but it didnt created/forwared my ticket) and all
> >> worked fine.
> >>
> >> Is "Kerberos for Windows" necessary for Windows/Putty?
> >>
> >> Thank you all for help.
> >>
> >> Thank you,
> >> Marcello
> >>
> >> --
> >> Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
> >> http://blogdomarcello.wordpress.com
> >> Information Security
> >> UNIX / Linux / *BSD
> >>
> >>
> >
> > Regards,
> > ....Bob Rasmussen,   President,   Rasmussen Software, Inc.
> >
> > personal e-mail: ras@anzio.com
> >  company e-mail: rsi@anzio.com
> >          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
> >            fax: (US) 503-624-0760
> >            web: http://www.anzio.com
> >  street address: Rasmussen Software, Inc.
> >                 10240 SW Nimbus, Suite L9
> >                 Portland, OR  97223  USA
> >
>
>
>
> --
> Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
> http://blogdomarcello.wordpress.com
> Information Security
> UNIX / Linux / *BSD
>
>

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@anzio.com
company e-mail: rsi@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA
Re: openssh + kerberos + windows ad [ In reply to ]
marcello.mezzanotti at gmail
Jan 6, 2010, 10:27 AM
Post #7 of 8 (7105 views)
Permalink
Bob,

On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen <ras@anzio.com> wrote:
> On Wed, 6 Jan 2010, Marcello Mezzanotti wrote:
>
>> Bob,
>>
>> What exactly you want to know? :)
>
> 1) What version(s) of PuTTY work in your environment? Did you try the
> developer's build from the official PuTTY site?

http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip

i tested another clients that worked too, but this is the only one
that i got tickets (klist on linux). i didnt have time to test other
krb5.conf options.

> 2) Did you have to create a keytab file on the AD server, and transfer it
> to the SSH server? How exactly did you do this?

i created the keytab file directly on linux, using net command.
after the linux joined th AD (net ads join) i typed "net ads keytab
create" and voi-la

> 3) Did you find online documents that were especially helpful? What were
> they?
>

no one especially, i find documents for specific functions like:

- join linux on windows domains (winbind, kerberos and ldap)
- smartcard linux logon (opensc, pam_pkcs11) - not related

i did a mix of solutions:

- basically i have my users on AD (w2k3 r2 server with Management for Unix)
- configured winbind to join windows domains
- configured ldap to nsswitch.conf and pam
- configured krb5 to pam

and then configured ssh+krb5 to SSO (the putty stuff)

--
Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
http://blogdomarcello.wordpress.com
Information Security
UNIX / Linux / *BSD
Re: openssh + kerberos + windows ad [ In reply to ]
jakrainer at yahoo
Jan 28, 2010, 6:52 AM
Post #8 of 8 (6858 views)
Permalink
Hello there,
Quest provides a PUTTY version with GSSAPI enabled:
http://rc.quest.com/topics/putty/
It works fine.

Regards,

Jackson


--- Em qua, 6/1/10, Bob Rasmussen <ras@anzio.com> escreveu:

> De: Bob Rasmussen <ras@anzio.com>
> Assunto: Re: openssh + kerberos + windows ad
> Para: "Marcello Mezzanotti" <marcello.mezzanotti@gmail.com>
> Cc: kerberos@mit.edu, secureshell@securityfocus.com, secureshell-return-10634@securityfocus.com
> Data: Quarta-feira, 6 de Janeiro de 2010, 6:30
> On Wed, 6 Jan 2010, Marcello
> Mezzanotti wrote:
>
> > Bob,
> >
> > What exactly you want to know? :)
>
> 1) What version(s) of PuTTY work in your environment? Did
> you try the
> developer's build from the official PuTTY site?
>
> 2) Did you have to create a keytab file on the AD server,
> and transfer it
> to the SSH server? How exactly did you do this?
>
> 3) Did you find online documents that were especially
> helpful? What were
> they?
>
> Thanks.
>
> >
> >
> >
> > On Mon, Jan 4, 2010 at 9:18 PM, Bob Rasmussen <ras@anzio.com>
> wrote:
> > > I am attempting the same thing myself, almost.
> Please provide as many
> > > details as you can.
> > >
> > > My AD server is a 2008 Server box, my client is a
> Windows 2000 box, trying
> > > to use Windows PuTTY to log in to a Linux box
> that is running OpenSSH.
> > >
> > > I also am running WireShark (formerly Ethereal)
> to monitor the network, so
> > > I can see Kerberos transactions - those that work
> and those that fail.
> > >
> > > The PuTTY I am trying is, I think, an unreleased
> version from the official
> > > website. It has calls to GSSAPI.
> > >
> > > At this point I get messages about an illegal
> flag being set. I see these
> > > in WireShark.
> > >
> > > I'd appreciate any help.
> > >
> > > On Mon, 4 Jan 2010, Marcello Mezzanotti wrote:
> > >
> > >> I just did :)
> > >>
> > >> the problem was the keytab, i created using
> linux command "net ads
> > >> keytab create",
> > >>
> > >> i tested both linux ssh client and putty
> > >> (PuTTY-0.58-GSSAPI-2005-07-24, i tested with
> another patched putty
> > >> client, worked, but it didnt created/forwared
> my ticket) and all
> > >> worked fine.
> > >>
> > >> Is "Kerberos for Windows" necessary for
> Windows/Putty?
> > >>
> > >> Thank you all for help.
> > >>
> > >> Thank you,
> > >> Marcello
> > >>
> > >> --
> > >> Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
> > >> http://blogdomarcello.wordpress.com
> > >> Information Security
> > >> UNIX / Linux / *BSD
> > >>
> > >>
> > >
> > > Regards,
> > > ....Bob Rasmussen,   President,   Rasmussen
> Software, Inc.
> > >
> > > personal e-mail: ras@anzio.com
> > >  company e-mail: rsi@anzio.com
> > >          voice: (US) 503-624-0360 (9:00-6:00
> Pacific Time)
> > >            fax: (US) 503-624-0760
> > >            web: http://www.anzio.com
> > >  street address: Rasmussen Software, Inc.
> > >                 10240 SW Nimbus, Suite
> L9
> > >                 Portland, OR  97223
>  USA
> > >
> >
> >
> >
> > --
> > Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
> > http://blogdomarcello.wordpress.com
> > Information Security
> > UNIX / Linux / *BSD
> >
> >
>
> Regards,
> ....Bob
> Rasmussen,   President,   Rasmussen
> Software, Inc.
>
> personal e-mail: ras@anzio.com
> company e-mail: rsi@anzio.com
>           voice: (US) 503-624-0360
> (9:00-6:00 Pacific Time)
>             fax: (US)
> 503-624-0760
>             web: http://www.anzio.com
> street address: Rasmussen Software, Inc.
>              
>    10240 SW Nimbus, Suite L9
>              
>    Portland, OR  97223  USA


____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal