[ITP] heimdal

Yaakov (Cygwin/X) yselkowitz@users.sourceforge.net
Tue Mar 20 20:54:00 GMT 2012 

On 2012-03-19 04:40, Corinna Vinschen wrote:
> On Mar 19 04:24, Yaakov (Cygwin/X) wrote:
>> On Mon, 2012-03-19 at 09:35 +0100, Corinna Vinschen wrote:
>>> I already have a strange problem with the client.  I enabled
>>> KerberosAuthentication and GSSAPIAuthentication on my Linux server,
>>> which has a /etc/krb5.conf file for authentication against my Windows
>>> domain (for Samba).
>>>
>>> Logging in with my Kerberos password is no problem, but that doesn't
>>> test the client at all, only the server.  So I tried kinit and then ssh
>>> -K, which enables credential forwarding.  IIUC that means the password I
>>> already entered via kinit should be forwarded to the server and I don't
>>> have to enter a password, just as when using pubkey authentication.
>>>
>>> However, that doesn't work at all.  If I run ssh -Kvvv, I see an error
>>> message like this in the verbose output:
>>
>> This combination (kinit name@HOST then ssh -K) worked for me when I
>> tested heimdal way back when.  I'll have to figure out how to set up a
>> kerberos server so I can try it again (unless someone else has one we
>> can test with?).
>
> You could install the evaluation version of Windows Server 2008 R2 in
> a virtual machine:
>
> http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx
>
> and set it up as AD domain controller.

I think I figured this out with heimdal itself.  I turned off other 
auths besides GSSAPI in sshd_config as so:

--- /etc/defaults/etc/sshd_config   2012-03-19 21:37:03.000000000 -0500
+++ /etc/sshd_config    2012-03-20 15:46:52.716885000 -0500
@@ -45,2 +45,2 @@
-#RSAAuthentication yes
-#PubkeyAuthentication yes
+RSAAuthentication no
+PubkeyAuthentication no
@@ -63 +63 @@
-#PasswordAuthentication yes
+PasswordAuthentication no
@@ -67 +67 @@
-#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
@@ -76 +76 @@
-#GSSAPIAuthentication no
+GSSAPIAuthentication yes

Then after (re)starting my krb5-enabled sshd, I did the following:

### should this be changed to /var/lib/heimdal ?
$ mkdir /var/heimdal

$ /usr/sbin/kstash --random-key
kstash: writing key to `/var/heimdal/m-key'

$ /usr/sbin/kadmin -l
kadmin> init YAAKOV04
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add Yaakov
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> passwd Yaakov
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> add --random-key host/yaakov04
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/yaakov04
kadmin> q

$ /usr/sbin/kdc --detach

$ kinit
Yaakov@YAAKOV04's Password:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: Yaakov@YAAKOV04

   Issued                Expires               Principal
Mar 20 15:50:33 2012  Mar 21 01:50:33 2012  krbtgt/YAAKOV04@YAAKOV04

$ ssh -Kv localhost
...
debug1: Authentication succeeded (gssapi-with-mic).
...
[login succeeds; after logging out:]

$ kdestroy

$ klist
klist: No ticket file: /tmp/krb5cc_1001

$ ssh -K localhost
Permission denied (gssapi-with-mic).


Yaakov

More information about the Cygwin-apps mailing list