LinuxQuestions.org - windows linux sso ssh

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - windows linux sso ssh (https://www.linuxquestions.org/questions/linux-server-73/windows-linux-sso-ssh-874971/)

windows linux sso ssh

Hallo:

I'm trying to do a ssh connection (using Quest Putty) from Windows to Linux.

As linux are joined to Active Directory, is possible to do a SSO (using kerberos).

If I connect from linux to linux using ssh, it works fine.

If I connect form Windows (Win7) to Linux using Quest Putty or Centrify Putty, an error is displayed:

Code:



C:\Program Files\Centrify\Centrify PuTTY>Plink.exe -A -K -v serverl001.jed

Looking up host "serverl001.buss.red"

Connecting to 10.16.44.234 port 22

Server version: SSH-2.0-OpenSSH_5.4

We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)

Using Kerberos authentication

Trying default credentials

Connecting Kerberos service host/serverl001.buss.red

gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEED

90312

Using principal User1@BUSS.RED

Got host ticket host/serverl001.buss.red@BUSS.RED

Using principal User1@BUSS.RED

Got host ticket host/serverl001.buss.red@BUSS.RED

Using SSH protocol version 2

Doing Diffie-Hellman group exchange

Doing Diffie-Hellman key exchange with hash SHA-256

The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.

The server's rsa2 key fingerprint is:

ssh-rsa 1024 73:c5:08:56:45:b5:25:54:d7:9e:3a:41:1b:1c:61:1e

If you trust this host, enter "y" to add the key to

PuTTY's cache and carry on connecting.

If you want to carry on connecting just once, without adding the key to the cache, enter "n".

If you do not trust this host, press Return to abandon the connection.

Store key in cache? (y/n) y

Host key fingerprint is:

ssh-rsa 1024 73:c5:08:28:c5:c7:23:54:d7:9e:3a:23:1b:1c:61:1e

Initialised AES-256 SDCTR client->server encryption

Initialised HMAC-SHA1 client->server MAC algorithm

Initialised AES-256 SDCTR server->client encryption

Initialised HMAC-SHA1 server->client MAC algorithm

login as User1@BUSS.RED

Userauth request for gssapi-with-mic

GSSAPI authentication rejected

Kerberos authentication failed.  Please check

1) Unix login name is correct

2) Target service principal name is correct

3) Kerberos authentication is enabled in SSH server

4) Clock in the host is syncrhonized with the clock in AD



Using keyboard-interactive authentication.

Password:

Can any tell me a program for SSO from Windows to Linux Centos 5.5

Thanks

Did you check the list of possible causes/fixes ?

1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

Yes, I've tried that.

As I say, I've added different CentOS 5.5 to Active Directory.

And I can do a SSO from Linux to Linux using that user. The problem is when I try to connect from Windows. Tried with Centrify and Quest Putty.
I've tried from Window2003SR2, Quest Putty and AD Win2003SR2 and it works fine.
If I try with Windows7, Quest Putty and AD Win2003SR1 a GSSAPI error is received.
Trying the same with Centrify Putty I see:

Code:



C:\Program Files\Centrify\Centrify PuTTY>plink -v -K server1.company.com

Looking up host "server1.company.com"

Connecting to 10.16.137.224 port 22

Server version: SSH-2.0-OpenSSH_4.3

We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)

Using Kerberos authentication

Trying default credentials

Connecting Kerberos service host/server1.company.com

gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEEDED:0x90312

Using principal user1@COMPANY.COM

Got host ticket host/server1.company.com@COMPANY.COM

Using principal user1@COMPANY.COM

Got host ticket host/server1.company.com@COMPANY.COM

Using SSH protocol version 2

Doing Diffie-Hellman group exchange

Doing Diffie-Hellman key exchange with hash SHA-1

Host key fingerprint is:

ssh-rsa 2048 41:a1:72:32:43:55:22:c9:00:33:95:47:02:ea:59:00

Initialised AES-256 SDCTR client->server encryption

Initialised HMAC-SHA1 client->server MAC algorithm

Initialised AES-256 SDCTR server->client encryption

Initialised HMAC-SHA1 server->client MAC algorithm

login as user1@COMPANY.COM

Userauth request for gssapi-with-mic

GSSAPI authentication rejected



Kerberos authentication failed.  Please check

1) Unix login name is correct

2) Target service principal name is correct

3) Kerberos authentication is enabled in SSH server

4) Clock in the host is syncrhonized with the clock in AD



user1@COMPANY.COM@server1.company.com's password:

Any other help? Or any chat/forum to ask?

Thanks

Quote:

user1@COMPANY.COM@server1.company.com

...is this normal ?

Sorry.
I've changed names as I don't want to write domains, IP and names of my company.

I'm asked for password in the format: user1@sever1.company.com

More detailed information in:
http://allthingsunix.inside.quest.co...=119796&#11979

Any suggestion?

Thanks.

Which version of AD did you want to use ? ... 2003 and 2003R2 have different schemas and you need to install different products (SFU for 2003 and IDMU for 2003R2) to enable *nix logons.

Version:
- Domain Controllers: Windows 20003.
- Schemas: Windows 2003 R2 (Schemas where updated from Win2003, but not the software/domain controllers.

What do I have to install/configure?

Thanks

I'm not sure .. was there a specific reason you didn't update the OS as well ?

Active Directory is work of another department.

I can use, but not modify/configure it.

Any other suggestion?

Thanks

Ask them to install IDMU and see if it works

No possible to install IDMU in Active Directory (ADS department is not going to do that).

I'll have to wait for a migration of Active Directory to ADS 2008, but it cant take months (or years).

Any other suggestion is welcome.

Thanks

Sorry, I'm all out, good luck