Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Kerberos 5 authentication without password?

from [Jeff Blaine] Network Security [Permanent Link]
Subject: Kerberos 5 authentication without password?
Date: Mon, 22 May 2006 21:41:30 -0400 
Hello all.

First a question whose answer may negate the rest of the
message:

Q: Is it possible to configure OpenSSH to allow a user
   coming from host X, with a valid TGT there, to login
   without being asked for a password... without using
   SSH's public key crypto for that password-less auth?

That is, I want OpenSSH authentication to be based on
the presence of a valid Kerberos 5 TGT incoming.  This
can be seen in action when using MIT Kerberos' telnet
-a -F and telnetd.

Assuming the answer to that is, "Yes, that is reasonable
and doable.", I am having one hell of a time getting it
to happen.

I have:

0.  A Kerberos 5 realm up and working fine.  It is a
    single testbed machine acting as KDC, application
    server, and client host to itself.

1.  OpenSSH 4.3p2 built successfully
        --with-ssl-dir=/export/home
        --with-kerberos5=/export/home/krb5
        --with-pam

2.  sshd from above functioning generally fine

3.  sshd_config with (varies...):

        LoginGraceTime 1m
        PermitRootLogin no
        StrictModes yes
        MaxAuthTries 6
        RSAAuthentication no
        PubkeyAuthentication no
        AuthorizedKeysFile      .ssh/authorized_keys
        RhostsRSAAuthentication no
        HostbasedAuthentication no
        IgnoreUserKnownHosts no
        IgnoreRhosts yes
        PasswordAuthentication no
        PermitEmptyPasswords no
        ChallengeResponseAuthentication no
        KerberosAuthentication yes
        KerberosOrLocalPasswd yes
        KerberosTicketCleanup yes
        GSSAPIAuthentication yes
        GSSAPIKeyExchange yes
        GSSAPICleanupCredentials yes
        UsePrivilegeSeparation yes
        Subsystem       sftp    /export/home/libexec/sftp-server

4.  A *recompiled* sshd which includes many calls to
    debug() in auth-krb5.c (it comes with ~1 debug() call
    as-is).

5.  sshd -d shows *zero* sign of *my* debug() calls being made
    after very necessary and simple krb5 init calls, but I do
    see "debug1: krb5_cleanup_proc called" when I exit my
    successful shell (requires password...).

6.  The only way I can get *any* form of connection right
    now with sshd is to set PasswordAuthentication to 'yes'
    (it says no above from when I was testing).  This at
    least asks me for a password, lets me in, and sets me
    up with my TGT in the new shell.

7.  I have tried all manner of sshd_config options I can
    think of that make any sense to me.

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bud in Openssl when used with Openssh and PADLs nss_ldap, Markus Moeller
Next by Date:  Two-hops SSH tunnelling, Loris Serena
Previous by Thread:  Bud in Openssl when used with Openssh and PADLs nss_ldap, Markus Moeller
Next by Thread:  Re: Kerberos 5 authentication without password?, Darren Tucker
Indexes:  [Date] [Thread] [Top] [All Lists]