Is there a way to run sshd on a windows 2000 server and have ssh clients authenticate to it using domain level authentication? Mike
"Lee-Lun, Michael [IT]" wrote:> > Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication?Almost. Windows 2000 uses Kerberos for authentication, and the SSPI which is an early version of the Kerberos GSSAPI. It uses the same protocol as the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then you are close. You still need a server for Windows. There may be one out there.> > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Mike, This can be done using either pam_smb or the pam modules included with the winbind component of samba. The latter maps Windows rids and gids to UNIX uids and gids, so essentially you can give Windows users access to UNIX resources without creating duplicate UNIX accounts for those users. I've used both pieces of software to do various things and tested the winbind pieces of samba to see if it would work with ssh (for fun)..it did. For ssh you still have to create home directories (for .ssh, etc.). There is a pam module for Linux that will even create home directories on the fly (dangerous in my opinion), but might be useful to some people (this piece does not work on Solaris). I am not using winbind, because there wasn't yet centralized management of the mapping of rids/gids to uids/gids..it was on a server by server basis. I tend to use pam_smb in instances where some UNIX application needs only to get authentication...most of our users have accounts in the Active Directory, but not in UNIX (and creating a shell account just to authenticate is overkill). Ultimately all authentication will go through LDAP, but that whole system is not in place yet. If you want more details on any of this I can provide them offline. -Scott On Tue, 2003-05-20 at 11:18, Lee-Lun, Michael [IT] wrote:> Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication? > > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Scott Burch <scott.burch at camberwind.com>
Mike, You can do this with pam_smb or the pam modules included with versions of samba where you compile the winbind component. I can provide more details ir you'd like. I don't do this, but I did play with the winbind component of samba to see how it worked, it was interesting but not really useful in the large distributed environment that I work in. Winbind maps Windows 2000 gids and rids into UNIX uids and gids..so essentially you can provide services on UNIX without creating a UNIX account for your Windows users. There is even this very scary module on Linux that can create home directories on the fly (obviously some things like ssh require a home directory to store .ssh, etc.), but this is not something I would do! If you want more details I can provide them. -Scott On Tue, 2003-05-20 at 11:18, Lee-Lun, Michael [IT] wrote:> Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication? > > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Scott Burch <scott.burch at camberwind.com>
On Tue, May 20, 2003 at 01:01:05PM -0500, Douglas E. Engert wrote:> > > "Lee-Lun, Michael [IT]" wrote: > > > > Is there a way to run sshd on a windows 2000 server and have ssh clients > > authenticate to it using domain level authentication? > > Almost. Windows 2000 uses Kerberos for authentication, and the SSPI which > is an early version of the Kerberos GSSAPI. It uses the same protocol as > the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then > you are close. > > You still need a server for Windows. There may be one out there.You can do this with a Cygwin sshd. But it needs a well maintained /etc/passwd and /etc/group files containing the domain accounts which are allowed to login. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
On Tue, May 20, 2003 at 03:17:47PM -0400, Lee-Lun, Michael [IT] wrote:> This is what I am using now, but this won't work well in our environment. I > want to be able to let users login to an ssh host and use the NT domain to > authenticate directly without using etc/passwd. How can this be done?Without /etc/passwd not with Cygwin sshd. Please keep replies on list. I've redirected this mail back to the openssh-unix-dev mailing list. Corinna> -----Original Message----- > From: Corinna Vinschen [mailto:vinschen at redhat.com] > Sent: Tuesday, May 20, 2003 2:24 PM > To: 'openssh-unix-dev at mindrot.org' > Subject: Re: Sshd and domain authentication > > > On Tue, May 20, 2003 at 01:01:05PM -0500, Douglas E. Engert wrote: > > > > > > "Lee-Lun, Michael [IT]" wrote: > > > > > > Is there a way to run sshd on a windows 2000 server and have ssh > > > clients authenticate to it using domain level authentication? > > > > Almost. Windows 2000 uses Kerberos for authentication, and the SSPI > > which > > is an early version of the Kerberos GSSAPI. It uses the same protocol as > > the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then > > you are close. > > > > You still need a server for Windows. There may be one out there. > > You can do this with a Cygwin sshd. But it needs a well maintained > /etc/passwd and /etc/group files containing the domain accounts which are > allowed to login. > > Corinna > [...]-- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
On Wed, 2003-05-21 at 04:19, Scott Burch wrote:> Mike, > > You can do this with pam_smbPlease do not use pam_smb. pam_winbind is a much better idea, as pam_smb can be to easily spoofed on the network. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030531/250f176c/attachment.bin
Apparently Analagous Threads
- Pending OpenSSH release, call for testing.
- [PATCH]: Cygwin: Allow sshd to switch user context without password
- [PATCH 2/2] Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
- Need help with GSSAPI authentication
- Is support being removed for ordinary users to run sshd?