LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 02-26-2012, 11:00 AM   #1
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Rep: Reputation: 14
Post SSH SSO in Windows 2008 not working


I have followed my own tutorial to join a CentOS 6.2 box to a Windows 2008 AD domain.

In addition, I have used ktpass to generate a keytab file and have copied it to the Linux boxes that have joined the domain.
Code:
ktpass -princ HOST/adtest.my.org@MY.ORG -mapuser MY\adtest$  -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
I can log on to the Linux boxes without any problems using domain accounts (as long as they have unix settings set up) but what I cannot do is single sign on using SSH to another Linux box in this domain.

klist output after I've logged on to adtest
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting     Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
If I log in to the other linux box in the domain:
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting     Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23  02/27/12 01:23:33  host/adtest2@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
and if I log on again to adtest from adtest:
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG

Valid starting     Expires            Service principal
02/26/12 15:25:09  02/27/12 01:23:33  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23  02/27/12 01:23:33  host/adtest2@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
02/26/12 15:28:24  02/27/12 01:23:33  host/adtest.my.org@MY.ORG
        renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
I don't understand why the tickets are issued with arcfour encryption and I also don't understand why there is a difference between the ticket for adtest and adtest2.

Same test from adtest2
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_UJ2BQP
Default principal: testuser@MY.ORG

Valid starting     Expires            Service principal
02/26/12 15:33:11  02/27/12 01:32:24  krbtgt/MY.ORG@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
02/26/12 15:37:29  02/27/12 01:32:24  host/adtest2@
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:29  02/27/12 01:32:24  host/adtest2@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:41  02/27/12 01:32:24  host/adtest.my.org@MY.ORG
        renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
I have added this line to ssh_config on both servers

Code:
Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
SELinux is set to permissive on both servers

Any ideas?

TIA

edit:

I just realized that adtest is Centos6.2 and adtest2 is RHEL6.0, which means that the kerberos libraries are slightly different 1.9-22 vs 1.8.2-3, respectively, don't think it should make much of a difference, but may it does

edit2:

I just cloned the Centos 6.2 VM called adtest3 and tried again, same result.

Last edited by manyrootsofallevil; 02-26-2012 at 12:11 PM.
 
Old 02-27-2012, 05:10 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
From memory you may need to create service principals (SPN's) to allow delegation privileges, but its been a while so I could just be old and confused.
 
Old 02-28-2012, 05:42 AM   #3
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
Quote:
Originally Posted by kbp View Post
From memory you may need to create service principals (SPN's) to allow delegation privileges, but its been a while so I could just be old and confused.
It looks like the ktpass command was the issue

should have used this (lower case host)

Code:
ktpass -princ host/adtest.my.org@MY.ORG -mapuser MY\adtest$  -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
The other thing I changed was forcing rc4-hmac encryption, although I'm not too sure whether it makes a difference or not.

I'll have to investigate
 
Old 02-28-2012, 01:55 PM   #4
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
I've written what I did to get this working in my blog. Hopefully it will help somebody.
 
  


Reply

Tags
active directory, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] kerberos SSO: ssh not trying gssapi-with-mic doqc1 Linux - Software 1 08-22-2011 05:04 AM
windows linux sso ssh Felipe Linux - Server 11 04-21-2011 07:42 AM
looking for touchscreen drivers for mandriva 2008, touchscreen working with windows inder_18nec Linux - Software 3 02-20-2010 06:11 PM
SSO for SSH and apache and/or tomcat nickowen Linux - Security 5 03-06-2009 09:44 PM
SSH from windows to linux not working hamish Linux - Software 7 12-08-2004 03:56 PM


All times are GMT -5. The time now is 04:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration