This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [ITP] heimdal
On 2012-03-19 04:40, Corinna Vinschen wrote:
On Mar 19 04:24, Yaakov (Cygwin/X) wrote:
On Mon, 2012-03-19 at 09:35 +0100, Corinna Vinschen wrote:
I already have a strange problem with the client. I enabled
KerberosAuthentication and GSSAPIAuthentication on my Linux server,
which has a /etc/krb5.conf file for authentication against my Windows
domain (for Samba).
Logging in with my Kerberos password is no problem, but that doesn't
test the client at all, only the server. So I tried kinit and then ssh
-K, which enables credential forwarding. IIUC that means the password I
already entered via kinit should be forwarded to the server and I don't
have to enter a password, just as when using pubkey authentication.
However, that doesn't work at all. If I run ssh -Kvvv, I see an error
message like this in the verbose output:
This combination (kinit name@HOST then ssh -K) worked for me when I
tested heimdal way back when. I'll have to figure out how to set up a
kerberos server so I can try it again (unless someone else has one we
can test with?).
You could install the evaluation version of Windows Server 2008 R2 in
a virtual machine:
http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx
and set it up as AD domain controller.
I think I figured this out with heimdal itself. I turned off other
auths besides GSSAPI in sshd_config as so:
--- /etc/defaults/etc/sshd_config 2012-03-19 21:37:03.000000000 -0500
+++ /etc/sshd_config 2012-03-20 15:46:52.716885000 -0500
@@ -45,2 +45,2 @@
-#RSAAuthentication yes
-#PubkeyAuthentication yes
+RSAAuthentication no
+PubkeyAuthentication no
@@ -63 +63 @@
-#PasswordAuthentication yes
+PasswordAuthentication no
@@ -67 +67 @@
-#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
@@ -76 +76 @@
-#GSSAPIAuthentication no
+GSSAPIAuthentication yes
Then after (re)starting my krb5-enabled sshd, I did the following:
### should this be changed to /var/lib/heimdal ?
$ mkdir /var/heimdal
$ /usr/sbin/kstash --random-key
kstash: writing key to `/var/heimdal/m-key'
$ /usr/sbin/kadmin -l
kadmin> init YAAKOV04
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add Yaakov
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> passwd Yaakov
Yaakov@YAAKOV04's Password:
Verifying - Yaakov@YAAKOV04's Password:
kadmin> add --random-key host/yaakov04
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/yaakov04
kadmin> q
$ /usr/sbin/kdc --detach
$ kinit
Yaakov@YAAKOV04's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: Yaakov@YAAKOV04
Issued Expires Principal
Mar 20 15:50:33 2012 Mar 21 01:50:33 2012 krbtgt/YAAKOV04@YAAKOV04
$ ssh -Kv localhost
...
debug1: Authentication succeeded (gssapi-with-mic).
...
[login succeeds; after logging out:]
$ kdestroy
$ klist
klist: No ticket file: /tmp/krb5cc_1001
$ ssh -K localhost
Permission denied (gssapi-with-mic).
Yaakov