This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GSSAPI authentication and OpenSSH on Windows


Hi,

I need to access a Windows server using SSH and GSSAPI Authentication so the user doen't have to enter his user / password all the time.  The clients will be running Windows using the PUTTY SSH client.  Windows authentication credentials should be reused to access the SSH Server.

The Windows SSH Server is joined to a Windows Domain with an AD.  I don't have administrator privileges on this domain.

Here is some information about this server:
  Windows Server 2003 Standard Edition SP2
  Cygwin 1.7.24 (x86)
  Machine name:  ls-ibm
  AD Domain name:  magrit.int
  Machine's FQDN:  ls-ibm.magrit.int

See cywin_info.txt attached for the output of cygcheck -s -v -r > /cygwin_info.txt.


After Googling around, I came through a couple of posts mentionning how to make this setup work, but I could not make it work on my machine and the error messages found in the log files don't seem to shed much light on the origin of the problem.

Here are some of the links to the posts providing information on what I'm trying to do.

http://acksyn.org/?p=475
http://answers.tectia.com/questions/509/gssapi-authentication-with-active-directory
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3d602921-0399-46eb-a44b-5b4153da7598/kerberoswindows-server-2008-kdc-and-centos-linix-clients-ktpass-utility
http://nynim.org/blog/2012/08/25/using-kerberos-gssapi-auth-with-openssh-in-cygwin-on-windows/

Most of these posts are related to Linux servers running Samba and they use Samba to generate their keytabs.  This is not the case for me since the server is a Windows machine.

The problem is that since I don't have administrative privileges on the domain (magrit.int), I can't create a new account for the SSH service, and I don't want to screw up things already working (Windows file sharing, remote desktop, etc.), so using ktpass to generate a new keytab is out of question without first talking to our IT department...  unless someone can tell me I'm wrong on this one.

One of these posts mention using the ksetup utility to do a mapping to a local user account, but don't provide any sample or command-line arguments on how to do this, so I kind of experimented a little here.

Before trying to test a SSH connection with the Windows authentication kerberos ticket, I tried to authenticate with Cygwin's kinit on the client first and connect with Cygwin's OpenSSH client.  When this will work, GSSAPI authentication with PUTTY should theoretically be OK.


So, here are the steps I did to get me where I am now:

#1- Make sure the proper principals exist in the AD

setspn -L ls-ibm
Registered ServicePrincipalNames for CN=LS-IBM,OU=.,DC=magrit,DC=int:
    HOST/LS-IBM
    HOST/ls-ibm.magrit.int

The host/<server>@<domain> principals exist the AD, which is fine.

I couldn't figure out exactly which principal was really need (HOST/LS-IBM or HOST/ls-ibm.magrit.int), so for the next steps, I mapped both principals to my local account and exported keytabs for both principals, just to make sure all the required principals are available to the sshd process.

#2 - Create a local account
- I created a local user named ssh_test_gg and I added it to the local Administrator group.
- I went to Local Policies and added the ssh_test_gg user to Act as part of the operating system, to Create a token object, to Replace a process level token, to Adjust memory quotas for a process and to Log on as a service (later I will want to run SSH as a service, but I keep this for when everything else works!).

#3 Map the local account to the principal 

ksetup /MapUser HOST/LS-IBM@MAGRIT.INT ssh_test_gg
ksetup /MapUser HOST/ls-ibm.magrit.int@MAGRIT.INT ssh_test_gg

ksetup
default realm = magrit.int (NT Domain)
Mapping HOST/LS-IBM to ssh_test_gg.
Mapping HOST/ls-ibm.magrit.int to ssh_test_gg.

This shows that the Kerberos principals have been mapped to my local account properly.  I mapped both principals to my account.

#4 Export the keytabs

ktpass /out d:\cygwin\etc\krb5.keytab /princ HOST/ls-ibm.magrit.int@MAGRIT.INT +rndPass /ptype KRB5_NT_SRV_HST /crypto DES-CBC-MD5
NOTE: creating a keytab but not mapping principal to any user.
      For the account to work within a Windows domain, the
      principal must be mapped to an account, either at the
      domain level (with /mapuser) or locally (using ksetup)
      If you intend to map HOST/ls-ibm.magrit.int@MAGRIT.INT to an account through other means
      or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to d:\cygwin\etc\krb5.keytab:
Keytab version: 0x502
keysize 60 HOST/ls-ibm.magrit.int@MAGRIT.INT ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2c5bec1c0d86d60e)

U:\>ktpass /out d:\cygwin\etc\krb5.keytab2 /princ HOST/LS-IBM@MAGRIT.INT +rndPass /ptype KRB5_NT_SRV_HST /crypto DES-CBC-MD5
NOTE: creating a keytab but not mapping principal to any user.
      For the account to work within a Windows domain, the
      principal must be mapped to an account, either at the
      domain level (with /mapuser) or locally (using ksetup)
      If you intend to map HOST/LS-IBM@MAGRIT.INT to an account through other means
      or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to d:\cygwin\etc\krb5.keytab2:
Keytab version: 0x502
keysize 49 HOST/LS-IBM@MAGRIT.INT ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x3 (DES-CBC-MD5) keylength 8 (0xf226614cc2831a52)

#5 Merge the keytabs

ktutil copy /etc/krb5.keytab2 /etc/krb5.keytab

ktutil list
FILE:/etc/krb5.keytab:

Vno  Type         Principal                          Aliases
  1  des-cbc-md5  HOST/ls-ibm.magrit.int@MAGRIT.INT
1 des-cbc-md5  HOST/LS-IBM@MAGRIT.INT

I now have a keytab file (krb5.keytab) containing both HOST/* principals for my machine.

#6 Enable GSSAPIAuthentication in the server

Add GSSAPIAuthentication yes to sshd_config (see attached).

#7 Configure Kerberos on the server

See the contents of the /etc/krb5.conf attached.  Pretty straight forward. 

#8 Test Kerberos on the server

kinit
xxxxxx@MAGRIT.INT's Password:

klist
Credentials cache: FILE:/tmp/krb5cc_26688
        Principal: xxxxxx@MAGRIT.INT

  Issued                Expires               Principal
Aug 19 13:28:36 2013  Aug 19 23:28:36 2013  krbtgt/MAGRIT.INT@MAGRIT.INT

This proves my SSH Server can authenticate users to the Windows Domain using Kerberos.

#9 Map the domain using to /etc/passwd

mkpasswd -D --user xxxxxx >> /etc/passwd

#10 Start the server

Open a new Windows session using the user created in step 2 (ssh_test_gg) and start the SSH server

/usr/sbin/sshd -ddd

#11 Test SSH connectivity

From the client

ssh ls-ibm

Connection succeeds with my AD domain user, as expected.

#12 Restart the SSH Server

Using the session open with ssh_test_gg user.

/usr/sbin/sshd -ddd

See the output of this command in ssh_server_output.txt

#12 Configure Kerberos on the client

krb5.conf on the client is the same as for the server (see krb5.conf attached)

kinit
xxxxxx@MAGRIT.INT's Password:

klist
Credentials cache: FILE:/tmp/krb5cc_26688
        Principal: xxxxxx@MAGRIT.INT

  Issued                Expires               Principal
Aug 19 13:28:36 2013  Aug 19 23:28:36 2013  krbtgt/MAGRIT.INT@MAGRIT.INT

kdestroy

Now, my client can authenticate to the Windows Domain using Kerberos.

#11 Configure SSH on the client

Add GSSAPIAuthentication yes to /etc/ssh_config on the client (see ssh_config attached)

#12 Test the ssh connection

kinit
xxxxxx@MAGRIT.INT's Password:

klist
Credentials cache: FILE:/tmp/krb5cc_26688
        Principal: xxxxxx@MAGRIT.INT

  Issued                Expires               Principal
Aug 19 13:28:36 2013  Aug 19 23:28:36 2013  krbtgt/MAGRIT.INT@MAGRIT.INT

ssh -vvv ls-ibm

See output in ssh_client_output.txt attached.

I had to type in the password for my domain account in order to log into the machine.



In ssh_server_output.txt, you can see that the server tried to do a GSSAPI authentication of some sort, but failed for some obscure reason (unknown mech-code 0.) (lines 124 - 125).

In ssh_client_output.txt, we see the same kind of message (lines 82 - 85).

I even tried with PUTTY, making sure that the Attempt GSSAPI authentication (SSH-2 only) check-box was checked.  The event log says that GSSAPI Authentication failed, but it doen't say why (see ssh_putty_output.txt, lines 15 - 17).

I tried adding a logging section to krb5.conf, but no messages appeared in the log file.

If it can help, I ran a few nslookups on the different hostnames (I ran accross a few posts that pointed in that direction.).

$ nslookup ls-ibm
Server:  cpt-dc20-p.magrit.int
Address:  172.30.193.51

Name:    ls-ibm.dns.local
Address:  172.30.195.50
Aliases:  ls-ibm.magrit.int

$ nslookup ls-ibm.magrit.int
Server:  cpt-dc20-p.magrit.int
Address:  172.30.193.51

Name:    ls-ibm.dns.local
Address:  172.30.195.50
Aliases:  ls-ibm.magrit.int

$ ping localhost

Pinging ls-ibm.magrit.int [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The Windows hosts file (D:\WINDOWS\system32\drivers\etc) contains a single entry mapping 127.0.0.1 to localhost.

At first, I didn't have any /etc/hosts file in the Cygwin directory tree.  I create one containing an entry mapping 127.0.0.1 to ls-ibm.magrit.int and to localhost.  It didn't change anything.


So, here are my questions:

- Did I miss anything?  I went through all the steps several times, trying to put all the information found on the web together, but I can't figure out what I'm missing.

- Am I right in assuming that mapping a local user to a domain principal with ksetup is the right way? (step 3 above)  Like I said, one post mentionned this, but neither provided a sample nor a confirmation that this setup was working.

- Which principal should I use in the keytab and in the local account mapping?  HOST/LS-IBM or HOST/ls-ibm.magrit.int?


Any help with this will be much appreciated.

Thank you for your help.

Ghislain Gadbois

Attachment: krb5.conf
Description: krb5.conf

Attachment: cygwin_info.txt
Description: cygwin_info.txt

Attachment: sshd_config
Description: sshd_config

Attachment: ssh_config
Description: ssh_config

Attachment: ssh_server_output.txt
Description: ssh_server_output.txt

Attachment: ssh_client_output.txt
Description: ssh_client_output.txt

Attachment: ssh_putty_output.txt
Description: ssh_putty_output.txt

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]