Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

OpenSSH, Kerberos, GSSAPI, and windows clients

from [Richard Jones] Network Security [Permanent Link]
Subject: OpenSSH, Kerberos, GSSAPI, and windows clients
Date: Tue, 28 Jun 2005 18:03:30 +0100 
Hi,

I've been tasked with investigating the possibility of centralized
authentication for my company. I've looked at a number of options and
Kerberized SSH seems to fit the bill.

However, I'm having problems making everything work within a staging
environment.

I'm using my FreeBSD-5.4p2 desktop as a KDC, it's using the default
kerberos OS daemons (Heimdal), kdc, kpasswdd, kadmind.

I have a Centos 3.4 and RedHat ES3 machine and a Windows 2000 box and
would like all clients to be able to talk to all servers (except Win2K).
On the Linux boxen I've recompiled from SRPM the OpenSSH package to use
the gssapi package as per the instuctions at
http://itinfo.mit.edu/answer.php?id=7436.

My FreeBSD is happy authenticate from itself to itself via its own KDC.
The Linux boxen are happy to authenticate with themselves and with each
other via the FreeBSD KDC.

However the I can't get my FreeBSD box to talk the linuces and vice
versa. I believe the issue here is FreeBSD's OpenSSH (3.8.1p1) using
gssapi-with-mic and the Linux boxen running OpenSSH-3.6.1p2 with a
backport of Simon Wilkinson's gssapi patch (not gssapi-with-mic).

So, my first question is, is there any easy way to resolve this? I
would much rather use a stock-ish OpenSSH RPM than roll my own.

The Windows Kerberized PuTTY client works fine and will authenticate
with everyone, (so I know it can be done ;-). However I've just
downloaded WinSCP 375 beta which claims to have SSH2/MIT Kerberos V
support.

It will connect to my FreeBSD box (Heimdal) but not to the Linux boxen
(MIT) I can't get any kind of logging to find out where it's failing.

My second question is: Can anyone help with this? Perhaps this should go
to the WinSCP developers, so I apologise if this is the case in advance.
It's hard to find a mailing that covers all the systems I'm using.

My third question is: Does anyone have a working network similar to the
above that I can mimic without going through the headaches myself?
Google has not been my friend :-(

Thanks in advance for any advice or help. There's a couple of beers in
it for anyone who lives or works in South London (UK)!!

Regards,

Richard Jones

-- 
Richard Jones
MSN: msn.co.uk@jonze.com
Y!M: rwkjones
http://www.jonze.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • OpenSSH, Kerberos, GSSAPI, and windows clients, Richard Jones <=
Previous by Date:  how can I input password in popen("ssh...") ?, huang bo
Next by Date:  Re: how can I input password in popen("ssh...") ?, Alexander Klimov
Previous by Thread:  how can I input password in popen("ssh...") ?, huang bo
Indexes:  [Date] [Thread] [Top] [All Lists]