putty/winscp with gssapi/krb5 ticket forwarding
Lars Schimmer
Hash: SHA1
Hi!
After some testing I got a few test PCs with debians "etch" system do
ticket forwarding and obtaining afs tokens.
Now I want to use putty and winscp from windows to login without a
password on that machines.
WinSCP can use gssapi login per default. But where do I have to put the
krb5.keytab generated for the windows machine? In which directory do I
have to put it?
And which "modified" putty should I use to use gssapi?
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFuM8emWhuE0qbFyMRAmpjAJ0ay+drgSaLkxavl+IwqE8t2uo4agCfUJ90
zft08qjKDYv+ZO1Vpy8pV6U=
=2rRR
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Vladimir Terziev
Christopher D. Clausen
> After some testing I got a few test PCs with debians "etch" system do
> ticket forwarding and obtaining afs tokens.
> Now I want to use putty and winscp from windows to login without a
> password on that machines.
> WinSCP can use gssapi login per default. But where do I have to put
> the krb5.keytab generated for the windows machine? In which directory
> do I have to put it?
Generally you don't want to use keytabs for users. You want to forward
the user's kerberos credentials in their ccache.
If your systems are on Windows AD, you might need to run ms2mit.exe
first and then try to forward credentials with GSSAPI apps that use MIT
Kerberos for Windows.
If you do need a keytab, you can put it anywhere, just kinit -kt
keytab.file princial@REALM before attempting to use it.
<<CDC
Douglas E. Engert
Vladimir Terziev wrote:
> Try this:
>
> http://www.sweb.cz/v_t_m/#putty
I agree, that is the good one.
>
> Vladimir
>
> On Thu, 25 Jan 2007 16:39:10 +0100
> Lars Schimmer <l.sch...@cgv.tugraz.at> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi!
>>
>> After some testing I got a few test PCs with debians "etch" system do
>> ticket forwarding and obtaining afs tokens.
>> Now I want to use putty and winscp from windows to login without a
>> password on that machines.
>> WinSCP can use gssapi login per default. But where do I have to put the
>> krb5.keytab generated for the windows machine? In which directory do I
>> have to put it?
The krb5.keytab file is only used by servers. Clients use the
user's ticket cache obtained when they login in to an AD domain, or
you can use some the Kerberos package like the MIT KfW.
http://web.mit.edu/Kerberos/dist/index.html
>> And which "modified" putty should I use to use gssapi?
>>
>> MfG,
>> Lars Schimmer
>> - --
>> - -------------------------------------------------------------
>> TU Graz, Institut für ComputerGraphik & WissensVisualisierung
>> Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
>> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.5 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFFuM8emWhuE0qbFyMRAmpjAJ0ay+drgSaLkxavl+IwqE8t2uo4agCfUJ90
>> zft08qjKDYv+ZO1Vpy8pV6U=
>> =2rRR
>> -----END PGP SIGNATURE-----
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Quanah Gibson-Mount
Douglas> Vladimir Terziev wrote:
>> Try this:
>>
>> http://www.sweb.cz/v_t_m/#putty
Douglas> I agree, that is the good one.
Hm, I tried it today, and although it did to K5 ticket forwarding, it
is missing GSSAPI key exchange, which is what would be most useful to
me.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Edward Irvine at home
Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> After some testing I got a few test PCs with debians "etch" system do
> ticket forwarding and obtaining afs tokens.
> Now I want to use putty and winscp from windows to login without a
> password on that machines.
See this link:
http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html
Lars Schimmer
Hash: SHA1
Edward Irvine at home wrote:
> Hi Lars,
>
> Lars Schimmer wrote:
> Hi!
>
> After some testing I got a few test PCs with debians "etch" system do
> ticket forwarding and obtaining afs tokens.
> Now I want to use putty and winscp from windows to login without a
> password on that machines.
>
>> See this link:
>
>> http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html
Thanks for the link.
Maybe I don´t get it right on my thoughts.
Setup here:
AD with 1 server and x clients
krb5 server on debian on extra machine
on each client MIT krb5 and OpenAFS 1.4.x on debian, 1.5.12 on windows
on windows clients: krb5 config with the krb5 server entry and "obtain
tokens for OpenAFS while login enabled"
til yet no special entries for krb5 in AD.
I assume the user on windows obtain a token and a valid ticket from the
linux krb5 server while logging in (else the token wouldn´t be valid)
So a valid ticket for user is available in the cache.
In https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian I´ve
read to create a host/...@CGV... entry in my database for every PC and
extract that to a krb5.keytab (ank host/..@CGV.. - ktadd -k krb5.keytab
host/....@CGV... for every PC). That keytab I copied to /etc/krb5.keytab
on every PC and it works on debian.
Now I thought that was the way it should work on windows. But it seems,
I was wrong.
So I need to create special user entries in the AD database. One entry
for all machines or one entry per linux pc?
Do I really have to crete them in the AD as my krb5 doesn´t interact
with the AD?
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFudACmWhuE0qbFyMRAt78AJ9GvQOcWVGAmhjZA/Ce0gyrZAn9bgCbBtdW
6h5W05khsYM8MT3XARMiiMM=
=/HQv
Christopher D. Clausen
> Thanks for the link.
> Maybe I don´t get it right on my thoughts.
> Setup here:
> AD with 1 server and x clients
> krb5 server on debian on extra machine
So you have an Active Directory domain that the Windows machines are on?
And a seperate Kerberos Realm for the Linux machines?
Do you have a realm trust between these? B/c its not likely to work if
you don't.
> on each client MIT krb5 and OpenAFS 1.4.x on debian, 1.5.12 on windows
> on windows clients: krb5 config with the krb5 server entry and "obtain
> tokens for OpenAFS while login enabled"
> til yet no special entries for krb5 in AD.
> I assume the user on windows obtain a token and a valid ticket from
> the
> linux krb5 server while logging in (else the token wouldn´t be valid)
> So a valid ticket for user is available in the cache.
> In https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian
That page assumes all machines are in one realm, which doesn't appear to
be your case at all. Can you be specific about which machines are in
which Kerberos / AD Realm?
<<CDC
Christopher D. Clausen
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.sch...@cgv.tugraz.at> wrote:
>>> Thanks for the link.
>>> Setup here:
>>> AD with 1 server and x clients
>>> krb5 server on debian on extra machine
>>
>> So you have an Active Directory domain that the Windows machines are
>> on?
>
>
>> And a seperate Kerberos Realm for the Linux machines?
>
> lower case cgv.tugraz.at)
Okay, this sounds bad. You'll likely need to rename either the domain
or the realm. (I believe there is a Windows tool to rename a domain.)
Maybe someone else has an idea for you? I don't think you can even
setup a realm trust if the realm names are the same b/c the cross-realm
TGT (krbtgt) would overwrite the current realms TGT.
>> Do you have a realm trust between these? B/c its not likely to work
>> if you don't.
>
> There is no realm trust between both (which are the same).
> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
> obtaining tickets/tokens.
You cannot have this work just b/c the realms are the same. There needs
to be a trust setup between the realms, or you need to have ALL your
non-Windows machines also use the Windows domain as a KDC instead of the
MIT one.
And please reply to the list and not to me directly.
<<CDC
Lars Schimmer
Hash: SHA1
Christopher D. Clausen wrote:
> Lars Schimmer <l.sch...@cgv.tugraz.at> wrote:
>> Christopher D. Clausen wrote:
>>> Lars Schimmer <l.sch...@cgv.tugraz.at> wrote:
>>>> Thanks for the link.
>>>> Maybe I don4t get it right on my thoughts.
>>>> Setup here:
>>>> AD with 1 server and x clients
>>>> krb5 server on debian on extra machine
>>> So you have an Active Directory domain that the Windows machines are
>>> on?
>> Yes, there is a AD domain in which the PCs are.
>>
>>> And a seperate Kerberos Realm for the Linux machines?
>> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
>> lower case cgv.tugraz.at)
>
> Okay, this sounds bad. You'll likely need to rename either the domain
> or the realm. (I believe there is a Windows tool to rename a domain.)
OK, we are just 20 people here using our REALM and no entry in DNS
server, I think it is easier to rename the REALM instead of the AD domain.
We got a /25 subnet and a DNS entry cgv.tugraz.at (yes, academic).
Within this I wanted to setup OpenAFS (I think it should name after the
dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is best and
the only usable one), linux clients (no probs so far) and a AD domain
with a own AD domain server. And I think for DNS/network/... purpose it
is far easier to name the AD domain after the DNS entry cgv.tugraz.at,
e.g. names of clients, IPs via dhcp,...).
I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set it
up that way and was happy as it worked for the most needed parts (login
into AD domain [with own AD password], getting ticket from krb5 server
for CGV.TUGRAZ.AT REALM and getting token automatic).
> Maybe someone else has an idea for you? I don't think you can even
> setup a realm trust if the realm names are the same b/c the cross-realm
> TGT (krbtgt) would overwrite the current realms TGT.
>
>>> Do you have a realm trust between these? B/c its not likely to work
>>> if you don't.
>> There is no realm trust between both (which are the same).
>> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
>> obtaining tickets/tokens.
>
> You cannot have this work just b/c the realms are the same. There needs
> to be a trust setup between the realms, or you need to have ALL your
> non-Windows machines also use the Windows domain as a KDC instead of the
> MIT one.
Some time ago it was easier to setup the MIT krb5 server instead of
using AD krb5 auth together with OpenAFS.
And I thought using MIT krb5 software on Windows with a active ticket
for the correct REALM is the needed part for loging in with putty via
ticket forwarding.
> And please reply to the list and not to me directly.
Sorry, it went wrong here. Damned icedove.
> <<CDC
>
>
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
iD8DBQFFwfoXmWhuE0qbFyMRAm8/AJ9pvmd8hS6M6xovpJEe39BSACcw9ACgkhu3
01yNq4Wx3ILKuC7u2gIAS7E=
=UNBZ
-----END PGP SIGNATURE-----
Christopher D. Clausen
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.sch...@cgv.tugraz.at> wrote:
>>>> So you have an Active Directory domain that the Windows machines
>>>> are on?
>>>
>>> Yes, there is a AD domain in which the PCs are.
>>>
>>>> And a seperate Kerberos Realm for the Linux machines?
>>>
>>> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
>>> lower case cgv.tugraz.at)
>>
>> Okay, this sounds bad. You'll likely need to rename either the
>> domain or the realm. (I believe there is a Windows tool to rename a
>> domain.)
>
> OK, we are just 20 people here using our REALM and no entry in DNS
> server, I think it is easier to rename the REALM instead of the AD
> domain. We got a /25 subnet and a DNS entry cgv.tugraz.at (yes,
> academic).
> Within this I wanted to setup OpenAFS (I think it should name after
> the dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is
> best and the only usable one), linux clients (no probs so far) and a
> AD domain with a own AD domain server. And I think for
> DNS/network/... purpose it is far easier to name the AD domain after
> the DNS entry cgv.tugraz.at, e.g. names of clients, IPs via dhcp,...).
> I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set
> it up that way and was happy as it worked for the most needed parts
> (login into AD domain [with own AD password], getting ticket from
> krb5 server for CGV.TUGRAZ.AT REALM and getting token automatic).
If your eventual goal is to setup OpenAFS, I'd suggest ONLY using the AD
domain if your Kerberos realm only has a few users now anyway. You can
do just about anything in AD that could do with MIT Kerberos, although
the management from the non-Windows side of things is a little annoying,
but it is possible. Having everything in one Kerberos realm simplifies
single-sign-on and cross-platform issues.
>> You cannot have this work just b/c the realms are the same. There
>> needs to be a trust setup between the realms, or you need to have
>> ALL your non-Windows machines also use the Windows domain as a KDC
>> instead of the MIT one.
>
> Some time ago it was easier to setup the MIT krb5 server instead of
> using AD krb5 auth together with OpenAFS.
>
> And I thought using MIT krb5 software on Windows with a active ticket
> for the correct REALM is the needed part for loging in with putty via
> ticket forwarding.
It is early as easy to have an AFS cell use an AD domain as using MIT or
Heimdal. Just generate a keytab for the afs/cell service principal and
use asetkey to add it to the KeyFile.
<<CDC