Displaying 20 results from an estimated 32 matches for "gssapikeyexchange".
2014 Jan 24
3
[Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198
Bug ID: 2198
Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c
choose_kex()
Product: Portable OpenSSH
Version: 6.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
Assign...
2022 Mar 14
8
[Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406
Bug ID: 3406
Summary: RSA key authentication doesn't work with enabled
GSSAPIKeyExchange: sign_and_send_pubkey: internal
error: initial hostkey not recorded
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Ke...
2009 Apr 21
0
GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck
Hi folks
Is there any particular reason why these two great features (thanks Simon!) are not part of the OpenSSH mainstream?
Met vriendelijke groet
Best regards
Bien ? vous
Miguel SANDERS
ArcelorMittal Gent
UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent
T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders at arcelormittal.com
2014 May 25
2
Samba 4 / Kerberos / ssh
...a working /etc/krb5.keytab
e.g. i have two s4 dc's
bob
alice
i have done the following. I want to connect from bob to alice with the service accounts
I added to the following to both of the dcs
sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
ssh_config
GSSAPIAuthentication yes
GSSAPIDelegationCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
After that i created the keytab i know i need an working ticket
Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$
I get the ticket with on bob for alice
kinit -v -k...
2020 Jul 13
2
Authentication with trusted credentials
...: db files
rpc: db files
netgroup: nis
*passwd: compat winbindgroup: compat winbind*
*#passwd: files winbind#group: files winbind*
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
APEX\jake at uc-smlbox20.svi...
2020 Jul 13
3
Authentication with trusted credentials
Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts
2020 Oct 02
5
Kerberos ticket lifetime
On 02/10/2020 13:24, Jason Keltz via samba wrote:
> Hi Louis,
>
> I had already done that at one point.
>
> My pam_winbind is already working.? I can SSH to the system, and I get
> a proper ticket.? My only issue is that it doesn't refresh the ticket
> before expiry when I ssh to a system.? I think I can script around
> that and just not rely on winbind to do it.
2020 Jul 13
0
Authentication with trusted credentials
...t;
> *passwd: compat winbindgroup: compat winbind*
>
>
>
> *#passwd: files winbind#group: files winbind*
>
>
> If I use default sshd_config
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> I have:
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
>
> d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox...
2020 Jul 14
3
Authentication with trusted credentials
...? ? ? db files
rpc:? ? ? ? ? ? db files
netgroup: ? ? ? nis
passwd: compat winbind
group:? compat winbind
#passwd: files winbind
#group:? files winbind
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
APEX\jake at uc-smlbox20...
2014 Jul 15
3
GSSAPI
If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches?
---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2020 Jul 16
0
Authentication with trusted credentials
...d/g' /etc/nsswitch.conf
sed -i 's/group: files systemd/group: files systemd winbind/g' /etc/nsswitch.conf
pam-auth-update
### And i enabled this part in sshd, not automated yet, do this manualy.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes # If your version supports this/
GSSAPIStoreCredentialsOnRekey yes # If your version supports this/
# Remember with UseDNS no, you cant use kerberos auth
UseDNS yes
reboot
And done, i can login with putty, with kerberos SSO from a windows pc.
(after setting putty correctly o...
2012 Jul 09
2
How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
=====================================================
[libdefaults]
2020 Oct 02
0
Kerberos ticket lifetime
Ah, and it that server allowed to "forward/exchange" that ticket?
Try this on both servers and test again.
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes
Which you need exaclty, i dont now, but i think you need to look in this area..
Think in this :
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Which are allowed for the server(s)?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mail...
2001 May 21
1
Problems with Krb5/GSSAPI patches in FBSD 4.3
...pt for Krb5
passwords or Krb5 tickets. And I really can't tell if the patches are even
working or if it contacts the KDC (no error message shows up on console or
in /var/log/messages) It just rejects my Krb5 password.
Per the patch, I do have this in my sshd_config:
GssapiAuthentication yes
GssapiKeyExchange yes
Does anyone have any ideas of how I can debug this?
Thanks! - Peter Losher
--
Peter.Losher at nominum.com - [ Systems Admin. | Nominum, Inc. ]
2006 Oct 02
0
GSSAPI Key Exchange for 4.4p1
...4.4p1.
This patch adds RFC4462 compatibility to OpenSSH, along with adding
additional GSSAPI support that is yet to make it into the main tree.
The patch implements:
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key
exchange mechanisms. This can be enabled through the
GSSAPIKeyExchange option on both client and server
(bugzilla.mindrot.org #1242)
*) Support for the null host key type
*) Support for CCAPI caches on Mac OS X
(bugzilla.mindrot.org #1245)
*) Don't penalise the client for authentication failures caused by
server misconfiguration
(b...
2014 Jul 23
1
samba4 passwordless ssh
hi all
i have samba4 ad setup and working,
i am currently trying to set up passwordless ssh on my client servers,
i have read this page
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD
i have a properly configured krb5.conf file, i have a keytab from the
samba dc
and i can kinit and obtain a valid ticket.
the only thing i have not done is to join my client which is a
2016 Nov 09
6
[Bug 2637] New: GSSAPIStrictAcceptorCheck should default to 'yes'
...bugs at mindrot.org
Reporter: tomas.kuthan at oracle.com
When GSSAPIStrictAcceptorCheck is not explicitely specified, the
default value should be yes. It is documented in sshd_config(5) this
way and it preserves original behavior.
Also GSSAPIStrictAcceptorCheck=no interacts poorly with
GSSAPIKeyExchange, where it make the server willing to negotiate
GSS-API key exchange, although no keytab was provided.
--
You are receiving this mail because:
You are watching the assignee of the bug.
2019 Oct 29
2
Samba Replication problem between two DCs
I'm pretty sure this is a resolving problem.
Can you verify this:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
Especialy these : for both guids and cross check if from both servers.
host -t CNAME 50507d18-c8ee-4ef4-bbda-4d0d9bc31caa._msdcs.....
Can you post from both server.
/etc/hosts
/etc/resolv.conf
host servername
host fqdn
host servername @dns othere
2020 Jul 13
0
Authentication with trusted credentials
...ing :
AllowGroups lin-allow-ssh win-allow-ssh
Windows users in win-allow-ssh
Linux users lin-allow-ssh ( in my case only Linux admins )
The windows group every windows user want to give access to the server.
And did you enable kerberos auth in sshd.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
Should be sufficent.
Now, if you followed Stephans guide, and if i would make a guess.
Is nsswitch configured? /etc/nsswitch.conf ?
Im also assuming your using ubuntu or debian, if so,
Running this give us all we need.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-d...
2013 Jan 16
2
HostKey Management
Hi,
As far as I can tell, when working in an environment with many servers,
there seem to be several ways for your client to authenticate the
HostKeys of each:
1) Set StrictHostKeyChecking=no, and hope you don't get MITM'd the first
time you connect to a server.
2) Use SSHFP records (which generally requires you to have DNSSEC fully
deployed to be meaningful compared to #1, I think?)