This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ITP] heimdal


On 2012-03-19 04:40, Corinna Vinschen wrote:
On Mar 19 04:24, Yaakov (Cygwin/X) wrote:
On Mon, 2012-03-19 at 09:35 +0100, Corinna Vinschen wrote:
I already have a strange problem with the client.  I enabled
KerberosAuthentication and GSSAPIAuthentication on my Linux server,
which has a /etc/krb5.conf file for authentication against my Windows
domain (for Samba).

Logging in with my Kerberos password is no problem, but that doesn't
test the client at all, only the server.  So I tried kinit and then ssh
-K, which enables credential forwarding.  IIUC that means the password I
already entered via kinit should be forwarded to the server and I don't
have to enter a password, just as when using pubkey authentication.

However, that doesn't work at all.  If I run ssh -Kvvv, I see an error
message like this in the verbose output:

This combination (kinit name@HOST then ssh -K) worked for me when I tested heimdal way back when. I'll have to figure out how to set up a kerberos server so I can try it again (unless someone else has one we can test with?).

You could install the evaluation version of Windows Server 2008 R2 in a virtual machine:

http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx

and set it up as AD domain controller.

I think I figured this out with heimdal itself. I turned off other auths besides GSSAPI in sshd_config as so:


--- /etc/defaults/etc/sshd_config   2012-03-19 21:37:03.000000000 -0500
+++ /etc/sshd_config    2012-03-20 15:46:52.716885000 -0500
@@ -45,2 +45,2 @@
-#RSAAuthentication yes
-#PubkeyAuthentication yes
+RSAAuthentication no
+PubkeyAuthentication no
@@ -63 +63 @@
-#PasswordAuthentication yes
+PasswordAuthentication no
@@ -67 +67 @@
-#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
@@ -76 +76 @@
-#GSSAPIAuthentication no
+GSSAPIAuthentication yes

Then after (re)starting my krb5-enabled sshd, I did the following:

### should this be changed to /var/lib/heimdal ?
$ mkdir /var/heimdal

$ /usr/sbin/kstash --random-key
kstash: writing key to `/var/heimdal/m-key'

$ /usr/sbin/kadmin -l
kadmin> init YAAKOV04
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add Yaakov
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> passwd Yaakov
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> add --random-key host/yaakov04
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/yaakov04
kadmin> q

$ /usr/sbin/kdc --detach

$ kinit
Yaakov@YAAKOV04's Password:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Yaakov@YAAKOV04

  Issued                Expires               Principal
Mar 20 15:50:33 2012  Mar 21 01:50:33 2012  krbtgt/YAAKOV04@YAAKOV04

$ ssh -Kv localhost
...
debug1: Authentication succeeded (gssapi-with-mic).
...
[login succeeds; after logging out:]

$ kdestroy

$ klist
klist: No ticket file: /tmp/krb5cc_1001

$ ssh -K localhost
Permission denied (gssapi-with-mic).


Yaakov



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]