LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-14-2011, 07:59 AM   #1
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Rep: Reputation: 31
windows linux sso ssh


Hallo:

I'm trying to do a ssh connection (using Quest Putty) from Windows to Linux.

As linux are joined to Active Directory, is possible to do a SSO (using kerberos).

If I connect from linux to linux using ssh, it works fine.

If I connect form Windows (Win7) to Linux using Quest Putty or Centrify Putty, an error is displayed:

Code:
C:\Program Files\Centrify\Centrify PuTTY>Plink.exe -A -K -v serverl001.jed
Looking up host "serverl001.buss.red"
Connecting to 10.16.44.234 port 22
Server version: SSH-2.0-OpenSSH_5.4
We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/serverl001.buss.red
gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEED
90312
Using principal User1@BUSS.RED
Got host ticket host/serverl001.buss.red@BUSS.RED
Using principal User1@BUSS.RED
Got host ticket host/serverl001.buss.red@BUSS.RED
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 73:c5:08:56:45:b5:25:54:d7:9e:3a:41:1b:1c:61:1e
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the connection.
Store key in cache? (y/n) y
Host key fingerprint is:
ssh-rsa 1024 73:c5:08:28:c5:c7:23:54:d7:9e:3a:23:1b:1c:61:1e
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as User1@BUSS.RED
Userauth request for gssapi-with-mic
GSSAPI authentication rejected
Kerberos authentication failed.  Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

Using keyboard-interactive authentication.
Password:
Can any tell me a program for SSO from Windows to Linux Centos 5.5

Thanks
 
Old 04-14-2011, 07:29 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Did you check the list of possible causes/fixes ?

1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD
 
Old 04-15-2011, 06:46 AM   #3
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
Yes, I've tried that.

As I say, I've added different CentOS 5.5 to Active Directory.

And I can do a SSO from Linux to Linux using that user. The problem is when I try to connect from Windows. Tried with Centrify and Quest Putty.
I've tried from Window2003SR2, Quest Putty and AD Win2003SR2 and it works fine.
If I try with Windows7, Quest Putty and AD Win2003SR1 a GSSAPI error is received.
Trying the same with Centrify Putty I see:
Code:
C:\Program Files\Centrify\Centrify PuTTY>plink -v -K server1.company.com
Looking up host "server1.company.com"
Connecting to 10.16.137.224 port 22
Server version: SSH-2.0-OpenSSH_4.3
We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/server1.company.com
gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEEDED:0x90312
Using principal user1@COMPANY.COM
Got host ticket host/server1.company.com@COMPANY.COM
Using principal user1@COMPANY.COM
Got host ticket host/server1.company.com@COMPANY.COM
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 2048 41:a1:72:32:43:55:22:c9:00:33:95:47:02:ea:59:00
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as user1@COMPANY.COM
Userauth request for gssapi-with-mic
GSSAPI authentication rejected

Kerberos authentication failed.  Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

user1@COMPANY.COM@server1.company.com's password:
Any other help? Or any chat/forum to ask?

Thanks

Last edited by Felipe; 04-15-2011 at 06:48 AM.
 
Old 04-16-2011, 08:11 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Quote:
user1@COMPANY.COM@server1.company.com
...is this normal ?
 
Old 04-16-2011, 06:21 PM   #5
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
Sorry.
I've changed names as I don't want to write domains, IP and names of my company.

I'm asked for password in the format: user1@sever1.company.com

More detailed information in:
http://allthingsunix.inside.quest.co...=119796&#11979


Any suggestion?

Thanks.
 
Old 04-17-2011, 10:35 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Which version of AD did you want to use ? ... 2003 and 2003R2 have different schemas and you need to install different products (SFU for 2003 and IDMU for 2003R2) to enable *nix logons.
 
Old 04-18-2011, 05:54 AM   #7
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
Version:
- Domain Controllers: Windows 20003.
- Schemas: Windows 2003 R2 (Schemas where updated from Win2003, but not the software/domain controllers.

What do I have to install/configure?

Thanks
 
Old 04-18-2011, 08:12 AM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
I'm not sure .. was there a specific reason you didn't update the OS as well ?
 
Old 04-18-2011, 08:54 AM   #9
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
Active Directory is work of another department.

I can use, but not modify/configure it.

Any other suggestion?

Thanks

Last edited by Felipe; 04-18-2011 at 03:43 PM.
 
Old 04-20-2011, 05:48 AM   #10
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Ask them to install IDMU and see if it works
 
Old 04-20-2011, 08:31 AM   #11
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
No possible to install IDMU in Active Directory (ADS department is not going to do that).

I'll have to wait for a migration of Active Directory to ADS 2008, but it cant take months (or years).

Any other suggestion is welcome.

Thanks
 
Old 04-21-2011, 07:42 AM   #12
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Sorry, I'm all out, good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authenticating XP users against Linux, including SSO? swingliner Linux - Enterprise 1 10-14-2010 08:00 PM
Firefox-squid in linux. Any way for SSO Felipe Linux - Software 1 01-29-2010 10:49 AM
sso firefox squid linux Felipe Linux - Software 1 01-18-2010 03:49 PM
SSO for SSH and apache and/or tomcat nickowen Linux - Security 5 03-06-2009 09:44 PM


All times are GMT -5. The time now is 04:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration