Windows SSH client that uses tickets not obtained from AD login - Kerberos

This is a discussion on Windows SSH client that uses tickets not obtained from AD login - Kerberos ; Hi, Do you know any windows ssh client that can use gssapi authentication and not using SSPI(used by vintela and CSS putty versions)wherein it uses tickets that were obtained from an Active Directory login? I have downloaded KFW from MIT ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Windows SSH client that uses tickets not obtained from AD login

  1. Windows SSH client that uses tickets not obtained from AD login

    Hi,
    Do you know any windows ssh client that can use
    gssapi authentication and not using SSPI(used by
    vintela and CSS putty versions)wherein it uses tickets
    that were obtained from an Active Directory login? I
    have downloaded KFW from MIT and I have successfully
    obtain tickets using Leash. I tried to use vintela's
    putty but I don't know how to tell it where Leash put
    my tickets. The vintela docs says it will use the
    tickets obtained upon an Active Directory login. In
    our case, we don't use AD service. BTW, just curious,
    KFW says it places the tickets obtained from KDC
    inside the memory of the computer, I remembered my
    tickets when using kinit places it in /tmp of my unix
    box. Is there a security issue here regarding the use
    of /tmp as a storage of tickets against placing it in
    the memory?

    Thanks.

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Windows SSH client that uses tickets not obtained from AD login

    Kermit 95 provides
    support for SSH with GSS and it derives its tickets from KFW.
    The version distributed by Columbia University is old and
    not quite up to date but it works.



    jay alvarez wrote:
    > Hi,
    > Do you know any windows ssh client that can use
    > gssapi authentication and not using SSPI(used by
    > vintela and CSS putty versions)wherein it uses tickets
    > that were obtained from an Active Directory login? I
    > have downloaded KFW from MIT and I have successfully
    > obtain tickets using Leash. I tried to use vintela's
    > putty but I don't know how to tell it where Leash put
    > my tickets. The vintela docs says it will use the
    > tickets obtained upon an Active Directory login. In
    > our case, we don't use AD service. BTW, just curious,
    > KFW says it places the tickets obtained from KDC
    > inside the memory of the computer, I remembered my
    > tickets when using kinit places it in /tmp of my unix
    > box. Is there a security issue here regarding the use
    > of /tmp as a storage of tickets against placing it in
    > the memory?
    >
    > Thanks.
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection around
    > http://mail.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  3. Re: Windows SSH client that uses tickets not obtained from ADlogin(opensource/free)

    Hi Jeff,
    I've already been to that site as most of my google
    searches points me to it, but my problem is that the
    place I work in is a government institution which
    benifits mostly from tools that are opensource and
    free. Is there a freeware version of kermit?


    --- Jeffrey Altman wrote:

    > Kermit 95
    > provides
    > support for SSH with GSS and it derives its tickets
    > from KFW.
    > The version distributed by Columbia University is
    > old and
    > not quite up to date but it works.
    >
    >
    >
    > jay alvarez wrote:
    > > Hi,
    > > Do you know any windows ssh client that can use
    > > gssapi authentication and not using SSPI(used by
    > > vintela and CSS putty versions)wherein it uses

    > tickets
    > > that were obtained from an Active Directory login?

    > I
    > > have downloaded KFW from MIT and I have

    > successfully
    > > obtain tickets using Leash. I tried to use

    > vintela's
    > > putty but I don't know how to tell it where Leash

    > put
    > > my tickets. The vintela docs says it will use the
    > > tickets obtained upon an Active Directory login.

    > In
    > > our case, we don't use AD service. BTW, just

    > curious,
    > > KFW says it places the tickets obtained from KDC
    > > inside the memory of the computer, I remembered my
    > > tickets when using kinit places it in /tmp of my

    > unix
    > > box. Is there a security issue here regarding the

    > use
    > > of /tmp as a storage of tickets against placing it

    > in
    > > the memory?
    > >
    > > Thanks.
    > >
    > > __________________________________________________
    > > Do You Yahoo!?
    > > Tired of spam? Yahoo! Mail has the best spam

    > protection around
    > > http://mail.yahoo.com
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    > --
    > -----------------
    > This e-mail account is not read on a regular basis.
    > Please send private responses to jaltman at mit dot
    > edu
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





    __________________________________________________ __
    Sell on Yahoo! Auctions no fees. Bid on great items.
    http://auctions.yahoo.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Windows SSH client that uses tickets not obtained from ADlogin(opensource/free)

    Hallo,

    another option would be to use ssh under cygwin - what actually I do.
    You only have to compile ssh yourself with either Heimdal, or with MIT
    Kerberos. You can obtain TGT using either kinit, or copy TGT from LSA to
    an ording credentials cache using ms2mit program from KfW.

    Regards, vadim tarassov.

    On Mon, 2005-07-11 at 21:59 -0700, jay alvarez wrote:
    > Hi Jeff,
    > I've already been to that site as most of my google
    > searches points me to it, but my problem is that the
    > place I work in is a government institution which
    > benifits mostly from tools that are opensource and
    > free. Is there a freeware version of kermit?
    >
    >
    > --- Jeffrey Altman wrote:
    >
    > > Kermit 95
    > > provides
    > > support for SSH with GSS and it derives its tickets
    > > from KFW.
    > > The version distributed by Columbia University is
    > > old and
    > > not quite up to date but it works.
    > >
    > >
    > >
    > > jay alvarez wrote:
    > > > Hi,
    > > > Do you know any windows ssh client that can use
    > > > gssapi authentication and not using SSPI(used by
    > > > vintela and CSS putty versions)wherein it uses

    > > tickets
    > > > that were obtained from an Active Directory login?

    > > I
    > > > have downloaded KFW from MIT and I have

    > > successfully
    > > > obtain tickets using Leash. I tried to use

    > > vintela's
    > > > putty but I don't know how to tell it where Leash

    > > put
    > > > my tickets. The vintela docs says it will use the
    > > > tickets obtained upon an Active Directory login.

    > > In
    > > > our case, we don't use AD service. BTW, just

    > > curious,
    > > > KFW says it places the tickets obtained from KDC
    > > > inside the memory of the computer, I remembered my
    > > > tickets when using kinit places it in /tmp of my

    > > unix
    > > > box. Is there a security issue here regarding the

    > > use
    > > > of /tmp as a storage of tickets against placing it

    > > in
    > > > the memory?
    > > >
    > > > Thanks.
    > > >
    > > > __________________________________________________
    > > > Do You Yahoo!?
    > > > Tired of spam? Yahoo! Mail has the best spam

    > > protection around
    > > > http://mail.yahoo.com
    > > > ________________________________________________
    > > > Kerberos mailing list Kerberos@mit.edu
    > > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > > >

    > >
    > > --
    > > -----------------
    > > This e-mail account is not read on a regular basis.
    > > Please send private responses to jaltman at mit dot
    > > edu
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    >
    >
    >
    > __________________________________________________ __
    > Sell on Yahoo! Auctions no fees. Bid on great items.
    > http://auctions.yahoo.com/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos

    --
    vadim

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Windows SSH client that uses tickets not obtained from AD login

    jay alvarez wrote:
    > Hi,
    > Do you know any windows ssh client that can use
    > gssapi authentication and not using SSPI(used by
    > vintela and CSS putty versions)wherein it uses tickets
    > that were obtained from an Active Directory login? I
    > have downloaded KFW from MIT and I have successfully
    > obtain tickets using Leash. I tried to use vintela's
    > putty but I don't know how to tell it where Leash put
    > my tickets. The vintela docs says it will use the
    > tickets obtained upon an Active Directory login. In
    > our case, we don't use AD service.


    The version of putty at: http://www.sweb.cz/v_t_m/ works with tickets
    obtained by MIT KfW. However, it only works with gssapi-with-mic, so
    you need to have OpenSSH 3.8 or higher on the server side. I have been
    using it for over a year without too many problems. It works quite well
    and the author even updated the source patch and the binary the two
    times I've asked when security fixes were released for putty.

    < Christopher D. Clausen
    ACM@UIUC SysAdmin


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Windows SSH client that uses tickets not obtained from AD login

    jay alvarez wrote:
    > Hi,
    > Do you know any windows ssh client that can use
    > gssapi authentication and not using SSPI(used by
    > vintela and CSS putty versions)


    There's a version of the CSS putty modifications which can use MIT
    Kerberos for Windows. Download their Putty Installer, install it, and
    then change the dll which it uses for Kerberos support by renaming
    C:\Program Files\PuTTY\plugin_mitgss.dll as
    C:\Program Files\PuTTY\plugingss.dll

    In my experience, there's a problem with newer versions of the code not
    working with MIT Kerberos, but version 0-55b1 works fine.

    Cheers,

    Simon.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Windows SSH client that uses tickets not obtained from AD login

    SecureCRT 4.x can use either the SSPI or the KfW gssapi.
    http://www.vandyke.com/products/securecrt/

    There are mods to PuTTY that can use either SSPI and KfW.
    http://www.sweb.cz/v_t_m/#putty
    Hopefully the PuTTY people will pick these up.

    We use both of these at our site.

    jay alvarez wrote:

    > Hi,
    > Do you know any windows ssh client that can use
    > gssapi authentication and not using SSPI(used by
    > vintela and CSS putty versions)wherein it uses tickets
    > that were obtained from an Active Directory login? I
    > have downloaded KFW from MIT and I have successfully
    > obtain tickets using Leash. I tried to use vintela's
    > putty but I don't know how to tell it where Leash put
    > my tickets. The vintela docs says it will use the
    > tickets obtained upon an Active Directory login. In
    > our case, we don't use AD service. BTW, just curious,
    > KFW says it places the tickets obtained from KDC
    > inside the memory of the computer, I remembered my
    > tickets when using kinit places it in /tmp of my unix
    > box. Is there a security issue here regarding the use
    > of /tmp as a storage of tickets against placing it in
    > the memory?
    >
    > Thanks.
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection around
    > http://mail.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread