Displaying 20 results from an estimated 77 matches for "gssapicleanupcredenti".
2003 Dec 10
1
GSSAPICleanupCredentials vs GSSAPICleanupCreds
In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while
servconf.c uses GSSAPICleanupCreds. Here is a patch:
--- openssh-3.7.1p2/servconf.c.orig 2003-12-10 10:43:52.000000000 -0200
+++ openssh-3.7.1p2/servconf.c 2003-12-10 10:44:13.000000000 -0200
@@ -310,10 +310,10 @@
{ "afstokenpassing", sUnsupported },
#ifdef GSSAPI
{ &...
2003 Sep 17
3
[Bug 655] sshd_config.5: 'GSSAPICleanupCredentials' -> '...Creds'
http://bugzilla.mindrot.org/show_bug.cgi?id=655
Summary: sshd_config.5: 'GSSAPICleanupCredentials' -> '...Creds'
Product: Portable OpenSSH
Version: -current
Platform: ix86
OS/Version: OpenBSD
Status: NEW
Severity: minor
Priority: P2
Component: Documentation
AssignedTo: openssh-bugs at mind...
2006 Oct 12
0
GSSAPICleanupCredentials and UsePrivilegeSeperation
It looks to me like GSSAPICleanupCredentials doesn't work if
UsePrivilegeSeparation is set to "no".
Is this a bug, or am I doing something wrong?
On a related note, is there a SERVER way to disable
GSSAPIDelegateCredentials?
2014 May 25
2
Samba 4 / Kerberos / ssh
...ct to the other domain controller. I know for that i need a working /etc/krb5.keytab
e.g. i have two s4 dc's
bob
alice
i have done the following. I want to connect from bob to alice with the service accounts
I added to the following to both of the dcs
sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
ssh_config
GSSAPIAuthentication yes
GSSAPIDelegationCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
After that i created the keytab i know i need an working ticket
Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice...
2015 Feb 26
2
Samba4 SSH SSSD-AD Problem
..._version = 2
domains = $DOMAINNAME$
[nss]
[pam]
[domain/$DOMAINNAME$]
id_provider = ad
access_provider = ad
ldap_id_mapping=false
krb5_keytab=/etc/krb5.keytab
And sshd with to following sshd_config:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
GSSAPIStoreCredentialsOnRekey yes
UsePAM yes
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREME...
2024 Jun 11
1
kerberos default_ccache_name with sssd
...narkive.com/YJB4Hshz/krb5ccname-and-sshd
Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
If you share the ticket cache between multiple login sessions, when the first session ends,
the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
a network disk which has other issues.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http...
2016 Jun 15
2
FW: Problem with Active Directory authentication
...changes that were made for the benefit of the group:
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
command is entered at the console, the output r...
2020 Oct 02
5
Kerberos ticket lifetime
On 02/10/2020 13:24, Jason Keltz via samba wrote:
> Hi Louis,
>
> I had already done that at one point.
>
> My pam_winbind is already working.? I can SSH to the system, and I get
> a proper ticket.? My only issue is that it doesn't refresh the ticket
> before expiry when I ssh to a system.? I think I can script around
> that and just not rely on winbind to do it.
2024 Jun 06
2
kerberos default_ccache_name with sssd
...chedir = %h
krb5_ccname_template = FILE:%d/.krb5cc_%U
I configured krb5.conf with:
[libdefaults]
default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid}
My sshd_config has the following:
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
UseDNS yes
*What I noticed:*
When I ssh to the host I can see that klist shows my cache file under /tmp:
Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK
Default principal: jdoe at DOMAIN.NET
Valid starting Expires Service principal
06/06/2024...
2020 Jul 13
2
Authentication with trusted credentials
...les
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
*passwd: compat winbindgroup: compat winbind*
*#passwd: files winbind#group: files winbind*
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake...
2024 Jun 11
1
kerberos default_ccache_name with sssd
...z/krb5ccname-and-sshd
>
> Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
> If you share the ticket cache between multiple login sessions, when the first session ends,
> the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
> a network disk which has other issues.
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot...
2017 May 09
2
ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
...ame = KEYRING:persistent:%{uid}
[domain_realm]
.dsdev = DSDEV.LOCAL
dsdev = DSDEV.LOCAL
dsdev.local = DSDEV.LOCAL
.dsdev.local = DSDEV.LOCAL
/etc/ssh/ssd_config:
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
/etc/resolv.conf:
search dsdev.local ourdomain
nameserver y.y.y.y.
nameserver x.x.x.x
/etc/pam.d/password-auth-ac:
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
au...
2015 Jul 18
2
can't ssh into C7 host
...t at db1 ~]# grep -v '#' /etc/ssh/sshd_config |sed '/^\s*$/d'
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
So I performed a verbose ssh login, and this is what I saw:
#ssh -vvv bluethundr at db1.example.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/MyUser/.ssh/config
debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
negated ma...
2006 Jun 20
1
unable to login with LDAP when set Uselogin to yes
...#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# Pas...
2024 Jun 12
1
kerberos default_ccache_name with sssd
...d
> >
> > Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it is set by sshd and your environment should have a KRB5CCNAME with that name.
> > If you share the ticket cache between multiple login sessions, when the first session ends,
> > the "GSSAPICleanupCredentials yes" will cause the shared ticket cache to be deleted. Using /tmp means the cache is destroyed upon a shutdown/restart. /tmp is also a local file system. /home may be on
> > a network disk which has other issues.
> > > openssh-unix-dev mailing list
> > > openssh-unix...
2006 Jan 20
1
openssh-4.2p1 + Pam question !
...PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# Pas...
2020 Jul 13
0
Authentication with trusted credentials
...les
> rpc: db files
>
> netgroup: nis
>
>
> *passwd: compat winbindgroup: compat winbind*
>
>
>
> *#passwd: files winbind#group: files winbind*
>
>
> If I use default sshd_config
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> I have:
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generi...
2012 Jul 09
2
How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
=====================================================
[libdefaults]
2020 Jul 13
3
Authentication with trusted credentials
Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts
2015 Jul 19
0
can't ssh into C7 host
...ssh/sshd_config
would be straighter.
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> SyslogFacility AUTHPRIV
> AuthorizedKeysFile .ssh/authorized_keys
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> So I performed a verbose ssh login, and this is what I saw:
>
>
> #ssh -vvv bluethundr at db1.example.com
>
> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
>
> debug1: Reading configuration data /Users/MyUser/.ssh/config
Odd path.
> debug1: /Users/MyUser/.ssh/...