Hello, I have a question about SSH with Kerberos password authentication . Do I receive any host ticket to my client machine when I do ssh connection with Kerberos password authenticaiton? If dont, why? If I login to remote machine through telnet with Kerberos Password authentication [through PAM-kerberos], then I can see the tickets with klist. But with the same setup for sshd, I cannot see the tickets with klist. Thanks, Kumaresh --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
As a follow up of the previous question, I dig the source and please validate my understanding. When SSH is used with GSSAPI or Kerberos password authentication, once the user is authenticated and after logout, if we do klist, then there are no keys displayed. I have come across the function krb5_free_principal( ). Is this the function that destroys the keys after the authentication is done? Thanks for your answers. Regards, Kumar ----- Original Message ----- From: "Kumaresh" <kumaresh_ind at gmx.net> To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org> Sent: Thursday, March 04, 2004 4:11 PM Subject: SSH + Kerberos Password auth> Hello, > > I have a question about SSH with Kerberos password authentication . > > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why? > > If I login to remote machine through telnet with Kerberos Password > authentication [through PAM-kerberos], then I can see the tickets with > klist. But with the same setup for sshd, I cannot see the tickets with > klist. > > Thanks, > Kumaresh > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
Kumaresh wrote:> > Hello, > > I have a question about SSH with Kerberos password authentication .Maybe I am misunderstanding your question. Do you mean when you send your user and password over the network to a remote machine? The sshd on that machine then uses your user and password to get kerberos tickets and saves the tickets in the cache on that machine.> > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why?No not on the client. as you are not using Kerberos on the client, only on the remote machine. In this case the client does not need any kerberos code.> > If I login to remote machine through telnet with Kerberos Password > authentication [through PAM-kerberos], then I can see the tickets with > klist. But with the same setup for sshd, I cannot see the tickets with > klist.Is your kerberos password the same as the local machine password? Whose kerberos are you using? What is in your sshd_config? is a KRB5CCNAME environment variable set for you? It works for me, but we don't normally have this turned on, as the intent of Kerberos is to get credentials on the local workstaion once, then use the gssapi to authenticate and delegate to remote hosts. When uses as intended the Kerberos password never leaves the local machine. And if you where to use some Kerberos pre-auth you may not even have a Kerberos password to send!> > Thanks, > Kumaresh > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Kumaresh wrote:> > As a follow up of the previous question, I dig the source and please > validate my understanding. > > When SSH is used with GSSAPI or Kerberos password authentication, once the > user is authenticated and after logout, if we do klist, then there are no > keys displayed.Normally the ticket cahce is cleaned up when th user logs out. See sshd_config KerberosTicketCleanup yes> I have come across the function krb5_free_principal( ). Is this the function > that destroys the keys after the authentication is done? >No.> Thanks for your answers. > > Regards, > Kumar > > ----- Original Message ----- > From: "Kumaresh" <kumaresh_ind at gmx.net> > To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org> > Sent: Thursday, March 04, 2004 4:11 PM > Subject: SSH + Kerberos Password auth > > > Hello, > > > > I have a question about SSH with Kerberos password authentication . > > > > Do I receive any host ticket to my client machine when I do ssh connection > > with Kerberos password authenticaiton? If dont, why? > > > > If I login to remote machine through telnet with Kerberos Password > > authentication [through PAM-kerberos], then I can see the tickets with > > klist. But with the same setup for sshd, I cannot see the tickets with > > klist. > > > > Thanks, > > Kumaresh > > > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Kumaresh wrote:> I have a question about SSH with Kerberos password authentication . > > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why?Are you using the PAM Kerberos module for sshd, or did you configure --with-kerberos5 ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.