Putty Snapshot of 2008-10-11, Kerberos, and RHEL
Is anyone using the new Putty snapshot and Kerberos? I'm trying to integrate
it with RHEL, and having a bit of difficulty. Do I really need to update to
OpenSSH 5 to get full integration, and register the RHEL host with the local
Kerberos master? (In this case, the Kerberos KDC is an Active Directory
Server, and RHEL 5 comes with OpenSSH 4.3.) If anyone's gotten all this
working together with Fedora 9 or similar releases, I should be able to work
backwards from that.
Kerberos authentication against the Active Directory server is already
working, and allows logins with uid's less than 500. (Go, RedHat, for getting
this working nicely.) No registration of the RHEL box in the domain is needed
for this, but it simply provides unified passwords, not single-sign-on where
you don't have to type your password again once you've logged into one server.
And by the way, for new people? Kerberos is very sensitive to time skew: you
really, really need to run NTP clients on your Active Directory servers and on
your RHEL systems for this to work well. (That took some work for me to get
authorized as a configuration change, but it helped a lot.)
I'd love to be able to offer single-sign-on in this RHEL environment, but
dislike having to use development snapshots and upgrade from the standard
system tools to provide it. I've also noticed that the new snapshot does this
when I log into the RHEL servers, whether or not they're running the newer
login as: nkadel
Last login: Mon Oct 20 18:26:16 2008 from hostname.example.com
That 'Access denied' part is new: I didn't have that with the 0.60 version of
Putty, but see it with the 2008-10-11 snapshot.
Re: Putty Snapshot of 2008-10-11, Kerberos, and RHEL
>>>>> "NKG" == Nico Kadel-Garcia <firstname.lastname@example.org> writes:[/color][/color][/color]
NKG> Hi, folks: Is anyone using the new Putty snapshot and Kerberos?
NKG> I'm trying to integrate it with RHEL, and having a bit of
NKG> difficulty. Do I really need to update to OpenSSH 5 to get full
You don't have to upgrade OpenSSH for Kerberos alone; 4.3 supports the
gssapi-with-mic user authentication method. What have you run into that
suggests you'd need to upgrade?
NKG> and register the RHEL host with the local Kerberos
To get single-signon -- that is, the client can authenticate to sshd on
the basis of his Windows Kerberos credentials acquired during the domain
logon, no password required -- then yes, the server host must have a
principal in the Kerberos realm. You can register it directly with AD
(which I find to be a pain, especially for large number of hosts), or run
a separate Unix-based realm with cross-realm trust between them.
With the tools mentioned so far, though, you're missing one big thing:
kerberized *server* authentication. This is a great boon in large
environments, since it relieves you of having to maintain hostkey
mappings for clients (e.g. OpenSSH known-hosts files, PuTTY registry keys,
etc.). The whole trust problem for servers is punted to the existing
Kerberos system, which has already solved it.
The Quest version of PuTTY ([url]http://rc.quest.com/topics/putty/[/url]) supports
both kerberized user and server authentication. I've been using it in
production for some time now, and it works well.
Of course, kerberized server authentication won't do you much good if sshd
doesn't support it, and it is *not* in OpenSSH proper (except in certain
distributions, e.g. Debian). For that, you need this (well-maintained)