LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   SSH SSO in Windows 2008 not working (http://www.linuxquestions.org/questions/linux-server-73/ssh-sso-in-windows-2008-not-working-931386/)

manyrootsofallevil 02-26-2012 11:00 AM

SSH SSO in Windows 2008 not working
 
I have followed my own tutorial to join a CentOS 6.2 box to a Windows 2008 AD domain.

In addition, I have used ktpass to generate a keytab file and have copied it to the Linux boxes that have joined the domain.
Code:

ktpass -princ HOST/adtest.my.org@MY.ORG -mapuser MY\adtest$  -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
I can log on to the Linux boxes without any problems using domain accounts (as long as they have unix settings set up) but what I cannot do is single sign on using SSH to another Linux box in this domain.

klist output after I've logged on to adtest
Code:

Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting    Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

If I log in to the other linux box in the domain:
Code:

Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting    Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23  02/27/12 01:23:33  host/adtest2@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

and if I log on again to adtest from adtest:
Code:

Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting    Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23  02/27/12 01:23:33  host/adtest2@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
02/26/12 15:28:24  02/27/12 01:23:33  host/adtest.my.org@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

I don't understand why the tickets are issued with arcfour encryption and I also don't understand why there is a difference between the ticket for adtest and adtest2.

Same test from adtest2
Code:

Ticket cache: FILE:/tmp/krb5cc_10000_UJ2BQP
Default principal: testuser@MY.ORG

Valid starting    Expires            Service principal
02/26/12 15:33:11  02/27/12 01:32:24  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
02/26/12 15:37:29  02/27/12 01:32:24  host/adtest2@
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:29  02/27/12 01:32:24  host/adtest2@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:41  02/27/12 01:32:24  host/adtest.my.org@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

I have added this line to ssh_config on both servers

Code:

Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

SELinux is set to permissive on both servers

Any ideas?

TIA

edit:

I just realized that adtest is Centos6.2 and adtest2 is RHEL6.0, which means that the kerberos libraries are slightly different 1.9-22 vs 1.8.2-3, respectively, don't think it should make much of a difference, but may it does

edit2:

I just cloned the Centos 6.2 VM called adtest3 and tried again, same result. :(

kbp 02-27-2012 05:10 PM

From memory you may need to create service principals (SPN's) to allow delegation privileges, but its been a while so I could just be old and confused.

manyrootsofallevil 02-28-2012 05:42 AM

Quote:

Originally Posted by kbp (Post 4613496)
From memory you may need to create service principals (SPN's) to allow delegation privileges, but its been a while so I could just be old and confused.

It looks like the ktpass command was the issue

should have used this (lower case host)

Code:

ktpass -princ host/adtest.my.org@MY.ORG -mapuser MY\adtest$  -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
The other thing I changed was forcing rc4-hmac encryption, although I'm not too sure whether it makes a difference or not.

I'll have to investigate

manyrootsofallevil 02-28-2012 01:55 PM

I've written what I did to get this working in my blog. Hopefully it will help somebody.


All times are GMT -5. The time now is 08:58 PM.