search for: gssapiauthentication

...works fine, and it took me a lot of searches and test/try to make it that way. Now, I'm trying to repeat the configuration on another server (both are identical VMs) and I nearly achieve the same goal, except for this : on the second setup, I have to manually generate /etc/krb5.keytab for the GSSApiAuthentication to work. This is annoying, because I have to do this for every user I add. Alas, I don't remember all the tweaks I made on my first setup, and can't figure out where the difference is... The only thing I notice is samba version 4.8.0 on the first machine, 4.8.1 on the second one, but I don&...

...r, I have tried logging into the Samba4 AD server as a domain user: labmac:~ mark$ ssh mark at mail pwd mark at mail's password: Permission denied, please try again. where 'mail' is the AD/DC. It also fails if I am on the AD/DC an try the same ssh. I've tried setting either the GSSAPIAuthentication or KerberosAuthentication in /etc/ssh/sshd_config, but those don't help. I get: Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess config line 89: Unsupported option GSSAPIAuthentication Dec 1 06:09:22 mail sshd[8...

...t; > > > Permission denied, please try again. > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't > > > > help. I get: Stop here. If you have root privileges, add a *local* account on the relevant system, and log in using the Kerberos credentials. If those don't work, you have other issue...

...mark at mail's password: > > > Permission denied, please try again. > > > > > > where 'mail' is the AD/DC. > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > I've tried setting either the GSSAPIAuthentication or > > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't > > > help. I get: > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess > &gt...

...mindrot.org ReportedBy: Markus.Kuhn at cl.cam.ac.uk I would like to propose the addition of a new command-line option to the OpenSSH client program "ssh": -K Enables both GSSAPI authentication and forwarding of GSSAPI credentials to server (equivalent to options GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes) Reason: When logging in to servers that use Kerberized NFS, it is not possible to use publickey authentication, because ~/.ssh/authorized_keys is not available at the time of login. In such environments, which become increasingly common due to security worri...

...ervice principle to connect to the other domain controller. I know for that i need a working /etc/krb5.keytab e.g. i have two s4 dc's bob alice i have done the following. I want to connect from bob to alice with the service accounts I added to the following to both of the dcs sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes ssh_config GSSAPIAuthentication yes GSSAPIDelegationCredentials yes GSSAPIKeyExchange yes GSSAPITrustDNS yes After that i created the keytab i know i need an working ticket Samba-tool domain exportkeytab /etc/kr...

...around and enabling the variables in /etc/ssh/sshd_config it turned out the *client* lacked the variables in /etc/ssh/ssh_config, which would instruct it to try gssapi. Please add to /etc/ssh/ssh_config these two lines: # Instruct ssh(1) client to attempt GSSAPI authentication, see ssh_config(5) # GSSAPIAuthentication yes # GSSAPIDelegateCredentials yes </quote> ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

[Apologies if this is an off-topic question; please direct me to a more appropriate place if so.] Using Kerberos/GSSAPIAuthentication, is there a way to centrally control/manage (perhaps using LDAP?) which user principals can log into what hosts/accounts? -- Jos Backus jos at catnook.com

...ig: #general config #... Match User foo LocalAddress 10.0.0.1,fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication yes Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no Hostbase...

...es = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_keytab=/etc/krb5.keytab And sshd with to following sshd_config: AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no GSSAPIStoreCredentialsOnRekey yes UsePAM yes X11Forwarding yes UseDNS no Subsystem sftp /usr/lib/ssh/sftp-server AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS...

...ControlMaster ControlPath + ControlBindMask + ControlAllowUsers + ControlAllowGroups + ControlDenyUsers + ControlDenyGroups GlobalKnownHostsFile GSSAPIAuthentication GSSAPIDelegateCredentials Index: scp.1 =================================================================== --- scp.1 (revision 15802) +++ scp.1 (revision 15803) @@ -130,6 +130,11 @@ .It ConnectTimeout .It ControlMaster .It ControlPath +.It ControlBindMask +.It ControlAllowUse...

Hi. I wonder if it would be possible to implement support for a user-specific sshd_config. The primary reason is that I would like the ability to specify that I'm only allowed to login with a key pair, even though the system-wide sshd configuration still allows passwords for other users. Of course, a user-specific sshd_config file should not be able to break the security policy of the

...> > > > > > > > > > > where 'mail' is the AD/DC. > > > > > > > > > > > > It also fails if I am on the AD/DC an try the same ssh. > > > > > > > > > > > > I've tried setting either the GSSAPIAuthentication or > > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those > > > > > > don't help. I get: > > > > > > > > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option > > > > > &gt...

...QDN of the machine with the AD DNS name /etc/krb5.conf: Added AD realm info /etc/samba/smb.conf: All AD info entered correctly Net ads join: OK Wbinfo -u/g: Shows all users and groups in the domain Pam_winbind: Allows users to login to the console or through SSH (password) /etc/ssh/sshd_conf: GSSAPIAuthentication yes /etc/ssh/ssh_conf (on remote machine configured exactly the same): GSSAPIAuthentication yes and GSSAPIDelegateCredentials no Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using Samba 3.3.3 /etc/samba/smb.conf: [global]...

Hi, I am doing some kerberos testing with samba4 using ssh. I have setup samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and active directory seems to be working both with Windows and Linux clients. ssh unfortunately is not kerberos authenticating via GSSAPI. The client krb5.conf contains this: ===================================================== [libdefaults]

Hai, Lets start here. Handy for us to know. OS? Samba version? AD or member setup? And I suggest, set this in the ssh server. # GSSAPI options GSSAPIAuthentication yes Restart the ssh server and try to SSO login. If its a AD server this should work. Yes, you dont get home dir etc, end up in / after login, but lets check if this works. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namen...

...es dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis *passwd: compat winbindgroup: compat winbind* *#passwd: files winbind#group: files winbind* If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-s...

...correctly when started from a command line. It fails when run from cron. Authentication with the remote server is set to use a private/public key and does not require an explicit password. Why does the authentication fail when run from cron? ----[ command ]---- /usr/bin/sftp -vv -P 1022 -p -o GSSAPIAuthentication=no \ -i /home/xxx/.ssh/jumpline \ -b /home/xxx/bin/sftp-sma-download-batch \ yyy at sohnen-moe.com ----[ end ]---- ---[ sucessful login ]--- debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks ** the logs were the same for the two instances up to this point ** debug2: key: /home/...

On 17/11/16 16:34, Digimer wrote: > Edit /etc/ssh/sshd_config > > Set: > > UseDNS no > GSSAPIAuthentication no > > Save, restart sshd, try again. This will certainly stop the long timeout, but I prefer telling people to fix their DNS. The long timeout is indicative of a DNS issue and turning off DNS for ssh is just masking the real problem. I prefer to leave DNS on for ssh as it's a good in...

...make CheckHostIP default to 'no'...") > --- > ssh_config | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ssh_config b/ssh_config > index 842ea866c..1eb1c0063 100644 > --- a/ssh_config > +++ b/ssh_config > @@ -25,7 +25,7 @@ > # GSSAPIAuthentication no > # GSSAPIDelegateCredentials no > # BatchMode no > -# CheckHostIP yes > +# CheckHostIP no > # AddressFamily any > # ConnectTimeout 0 > # StrictHostKeyChecking ask > -- > 2.38.1 >