Putty Snapshot of 2008-10-11, Kerberos, and RHEL - SSH

This is a discussion on Putty Snapshot of 2008-10-11, Kerberos, and RHEL - SSH ; Hi, folks: Is anyone using the new Putty snapshot and Kerberos? I'm trying to integrate it with RHEL, and having a bit of difficulty. Do I really need to update to OpenSSH 5 to get full integration, and register the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Putty Snapshot of 2008-10-11, Kerberos, and RHEL

  1. Putty Snapshot of 2008-10-11, Kerberos, and RHEL

    Hi, folks:

    Is anyone using the new Putty snapshot and Kerberos? I'm trying to integrate
    it with RHEL, and having a bit of difficulty. Do I really need to update to
    OpenSSH 5 to get full integration, and register the RHEL host with the local
    Kerberos master? (In this case, the Kerberos KDC is an Active Directory
    Server, and RHEL 5 comes with OpenSSH 4.3.) If anyone's gotten all this
    working together with Fedora 9 or similar releases, I should be able to work
    backwards from that.

    Kerberos authentication against the Active Directory server is already
    working, and allows logins with uid's less than 500. (Go, RedHat, for getting
    this working nicely.) No registration of the RHEL box in the domain is needed
    for this, but it simply provides unified passwords, not single-sign-on where
    you don't have to type your password again once you've logged into one server.

    And by the way, for new people? Kerberos is very sensitive to time skew: you
    really, really need to run NTP clients on your Active Directory servers and on
    your RHEL systems for this to work well. (That took some work for me to get
    authorized as a configuration change, but it helped a lot.)

    I'd love to be able to offer single-sign-on in this RHEL environment, but
    dislike having to use development snapshots and upgrade from the standard
    system tools to provide it. I've also noticed that the new snapshot does this
    when I log into the RHEL servers, whether or not they're running the newer
    OpenSSH 5:


    login as: nkadel
    Access denied
    nkg@hostname's password:
    Last login: Mon Oct 20 18:26:16 2008 from hostname.example.com

    [nkadel@hostname ~]$


    That 'Access denied' part is new: I didn't have that with the 0.60 version of
    Putty, but see it with the 2008-10-11 snapshot.

  2. Re: Putty Snapshot of 2008-10-11, Kerberos, and RHEL


    Hi Nico,

    >>>>> "NKG" == Nico Kadel-Garcia writes:


    NKG> Hi, folks: Is anyone using the new Putty snapshot and Kerberos?
    NKG> I'm trying to integrate it with RHEL, and having a bit of
    NKG> difficulty. Do I really need to update to OpenSSH 5 to get full
    NKG> integration,

    You don't have to upgrade OpenSSH for Kerberos alone; 4.3 supports the
    gssapi-with-mic user authentication method. What have you run into that
    suggests you'd need to upgrade?

    NKG> and register the RHEL host with the local Kerberos

    To get single-signon -- that is, the client can authenticate to sshd on
    the basis of his Windows Kerberos credentials acquired during the domain
    logon, no password required -- then yes, the server host must have a
    principal in the Kerberos realm. You can register it directly with AD
    (which I find to be a pain, especially for large number of hosts), or run
    a separate Unix-based realm with cross-realm trust between them.

    With the tools mentioned so far, though, you're missing one big thing:
    kerberized *server* authentication. This is a great boon in large
    environments, since it relieves you of having to maintain hostkey
    mappings for clients (e.g. OpenSSH known-hosts files, PuTTY registry keys,
    etc.). The whole trust problem for servers is punted to the existing
    Kerberos system, which has already solved it.

    The Quest version of PuTTY (http://rc.quest.com/topics/putty/) supports
    both kerberized user and server authentication. I've been using it in
    production for some time now, and it works well.

    Of course, kerberized server authentication won't do you much good if sshd
    doesn't support it, and it is *not* in OpenSSH proper (except in certain
    distributions, e.g. Debian). For that, you need this (well-maintained)
    patch:

    http://www.sxw.org.uk/computing/patches/openssh.html

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread