Displaying 20 results from an estimated 72 matches for "gssapicleanupcredentials".
2003 Dec 10
1
GSSAPICleanupCredentials vs GSSAPICleanupCreds
In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while
servconf.c uses GSSAPICleanupCreds. Here is a patch:
--- openssh-3.7.1p2/servconf.c.orig 2003-12-10 10:43:52.000000000 -0200
+++ openssh-3.7.1p2/servconf.c 2003-12-10 10:44:13.000000000 -0200
@@ -310,10 +310,10 @@
{ "afstokenpassing", sUnsupported },
#ifdef GSSAPI
{ &quo...
2003 Sep 17
3
[Bug 655] sshd_config.5: 'GSSAPICleanupCredentials' -> '...Creds'
http://bugzilla.mindrot.org/show_bug.cgi?id=655
Summary: sshd_config.5: 'GSSAPICleanupCredentials' -> '...Creds'
Product: Portable OpenSSH
Version: -current
Platform: ix86
OS/Version: OpenBSD
Status: NEW
Severity: minor
Priority: P2
Component: Documentation
AssignedTo: openssh-bugs at mindrot...
2006 Oct 12
0
GSSAPICleanupCredentials and UsePrivilegeSeperation
It looks to me like GSSAPICleanupCredentials doesn't work if
UsePrivilegeSeparation is set to "no".
Is this a bug, or am I doing something wrong?
On a related note, is there a SERVER way to disable
GSSAPIDelegateCredentials?
2014 May 25
2
Samba 4 / Kerberos / ssh
...ct to the other domain controller. I know for that i need a working /etc/krb5.keytab
e.g. i have two s4 dc's
bob
alice
i have done the following. I want to connect from bob to alice with the service accounts
I added to the following to both of the dcs
sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
ssh_config
GSSAPIAuthentication yes
GSSAPIDelegationCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
After that i created the keytab i know i need an working ticket
Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$...
2015 Feb 26
2
Samba4 SSH SSSD-AD Problem
..._version = 2
domains = $DOMAINNAME$
[nss]
[pam]
[domain/$DOMAINNAME$]
id_provider = ad
access_provider = ad
ldap_id_mapping=false
krb5_keytab=/etc/krb5.keytab
And sshd with to following sshd_config:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
GSSAPIStoreCredentialsOnRekey yes
UsePAM yes
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT...
2016 Jun 15
2
FW: Problem with Active Directory authentication
...changes that were made for the benefit of the group:
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
command is entered at the console, the output read...
2020 Oct 02
5
Kerberos ticket lifetime
On 02/10/2020 13:24, Jason Keltz via samba wrote:
> Hi Louis,
>
> I had already done that at one point.
>
> My pam_winbind is already working.? I can SSH to the system, and I get
> a proper ticket.? My only issue is that it doesn't refresh the ticket
> before expiry when I ssh to a system.? I think I can script around
> that and just not rely on winbind to do it.
2020 Jul 13
2
Authentication with trusted credentials
...les
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
*passwd: compat winbindgroup: compat winbind*
*#passwd: files winbind#group: files winbind*
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake at...
2017 May 09
2
ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
...ame = KEYRING:persistent:%{uid}
[domain_realm]
.dsdev = DSDEV.LOCAL
dsdev = DSDEV.LOCAL
dsdev.local = DSDEV.LOCAL
.dsdev.local = DSDEV.LOCAL
/etc/ssh/ssd_config:
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
/etc/resolv.conf:
search dsdev.local ourdomain
nameserver y.y.y.y.
nameserver x.x.x.x
/etc/pam.d/password-auth-ac:
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth...
2015 Jul 18
2
can't ssh into C7 host
...t at db1 ~]# grep -v '#' /etc/ssh/sshd_config |sed '/^\s*$/d'
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
So I performed a verbose ssh login, and this is what I saw:
#ssh -vvv bluethundr at db1.example.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/MyUser/.ssh/config
debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
negated match...
2006 Jun 20
1
unable to login with LDAP when set Uselogin to yes
...#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# Passwo...
2006 Jan 20
1
openssh-4.2p1 + Pam question !
...PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# Passwo...
2020 Jul 13
0
Authentication with trusted credentials
...les
> rpc: db files
>
> netgroup: nis
>
>
> *passwd: compat winbindgroup: compat winbind*
>
>
>
> *#passwd: files winbind#group: files winbind*
>
>
> If I use default sshd_config
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> I have:
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x...
2012 Jul 09
2
How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
=====================================================
[libdefaults]
2020 Jul 13
3
Authentication with trusted credentials
Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts
2015 Jul 19
0
can't ssh into C7 host
...ssh/sshd_config
would be straighter.
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> SyslogFacility AUTHPRIV
> AuthorizedKeysFile .ssh/authorized_keys
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> So I performed a verbose ssh login, and this is what I saw:
>
>
> #ssh -vvv bluethundr at db1.example.com
>
> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
>
> debug1: Reading configuration data /Users/MyUser/.ssh/config
Odd path.
> debug1: /Users/MyUser/.ssh/con...
2016 Jun 15
0
FW: Problem with Active Directory authentication
...t; # Change to no to disable s/key passwords
> ChallengeResponseAuthentication no
>
> # Kerberos options
> KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> KerberosGetAFSToken yes
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
> console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
> command is entered at the conso...
2020 Oct 02
0
Kerberos ticket lifetime
Ah, and it that server allowed to "forward/exchange" that ticket?
Try this on both servers and test again.
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes
Which you need exaclty, i dont now, but i think you need to look in this area..
Think in this :
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Which are allowed for the server(s)?
Greetz,
Louis
> ----...
2005 Sep 20
0
GSSAPI credentials deletion
Hello,
I have a problem dealing with GSSAPI credentials cleanup with OpenSSH
4.x (GSSAPI libs from Kerberos MIT's implementation 1.4.2). Although I
use "GSSAPICleanupCredentials yes", credentials remain undeleted after
connection. The same test with OpenSSH 3.9p1 is successful.
Has anyone encountered the same problem?
Best regards,
Emmanuel
2008 Dec 02
0
SSHD does not cleanup kerberos ticket while root logins
...ogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
RhostsRSAAuthentication
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Regards,
Michal P.
--
Michal Prochazka // michalp at ics.muni.cz
Supercomputing Center Brno
Institute of Computer Science
Masary...