search for: gssapikeyexchange

Displaying 20 results from an estimated 32 matches for "gssapikeyexchange".

2014 Jan 24
3
[Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()
https://bugzilla.mindrot.org/show_bug.cgi?id=2198 Bug ID: 2198 Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex() Product: Portable OpenSSH Version: 6.4p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: Kerberos support Assign...
2022 Mar 14
8
[Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
https://bugzilla.mindrot.org/show_bug.cgi?id=3406 Bug ID: 3406 Summary: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded Product: Portable OpenSSH Version: 8.9p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Ke...
2009 Apr 21
0
GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck
Hi folks Is there any particular reason why these two great features (thanks Simon!) are not part of the OpenSSH mainstream? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com
2014 May 25
2
Samba 4 / Kerberos / ssh
...a working /etc/krb5.keytab e.g. i have two s4 dc's bob alice i have done the following. I want to connect from bob to alice with the service accounts I added to the following to both of the dcs sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes ssh_config GSSAPIAuthentication yes GSSAPIDelegationCredentials yes GSSAPIKeyExchange yes GSSAPITrustDNS yes After that i created the keytab i know i need an working ticket Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$ I get the ticket with on bob for alice kinit -v -k...
2020 Jul 13
2
Authentication with trusted credentials
...: db files rpc: db files netgroup: nis *passwd: compat winbindgroup: compat winbind* *#passwd: files winbind#group: files winbind* If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svi...
2020 Jul 13
3
Authentication with trusted credentials
Hi friends, I have a one way outgoing trust between SAMBA trusting domain and AD trusted domain. SSH Authentication of a user belonging to the SAMBA domain works properly on a Linux computer which is a member of SAMBA domain. I would like to authenticate a trusted user from the AD domain on the same Linux computer with SSH. Currently it doesn't work. I am able to authenticate trusted accounts
2020 Oct 02
5
Kerberos ticket lifetime
On 02/10/2020 13:24, Jason Keltz via samba wrote: > Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.
2020 Jul 13
0
Authentication with trusted credentials
...t; > *passwd: compat winbindgroup: compat winbind* > > > > *#passwd: files winbind#group: files winbind* > > > If I use default sshd_config > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > I have: > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) > > d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox...
2020 Jul 14
3
Authentication with trusted credentials
...? ? ? db files rpc:? ? ? ? ? ? db files netgroup: ? ? ? nis passwd: compat winbind group:? compat winbind #passwd: files winbind #group:? files winbind If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20...
2014 Jul 15
3
GSSAPI
If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2020 Jul 16
0
Authentication with trusted credentials
...d/g' /etc/nsswitch.conf sed -i 's/group: files systemd/group: files systemd winbind/g' /etc/nsswitch.conf pam-auth-update ### And i enabled this part in sshd, not automated yet, do this manualy. # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes # If your version supports this/ GSSAPIStoreCredentialsOnRekey yes # If your version supports this/ # Remember with UseDNS no, you cant use kerberos auth UseDNS yes reboot And done, i can login with putty, with kerberos SSO from a windows pc. (after setting putty correctly o...
2012 Jul 09
2
How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi, I am doing some kerberos testing with samba4 using ssh. I have setup samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and active directory seems to be working both with Windows and Linux clients. ssh unfortunately is not kerberos authenticating via GSSAPI. The client krb5.conf contains this: ===================================================== [libdefaults]
2020 Oct 02
0
Kerberos ticket lifetime
Ah, and it that server allowed to "forward/exchange" that ticket? Try this on both servers and test again. GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no GSSAPIKeyExchange yes Which you need exaclty, i dont now, but i think you need to look in this area.. Think in this : Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable Which are allowed for the server(s)? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mail...
2001 May 21
1
Problems with Krb5/GSSAPI patches in FBSD 4.3
...pt for Krb5 passwords or Krb5 tickets. And I really can't tell if the patches are even working or if it contacts the KDC (no error message shows up on console or in /var/log/messages) It just rejects my Krb5 password. Per the patch, I do have this in my sshd_config: GssapiAuthentication yes GssapiKeyExchange yes Does anyone have any ideas of how I can debug this? Thanks! - Peter Losher -- Peter.Losher at nominum.com - [ Systems Admin. | Nominum, Inc. ]
2006 Oct 02
0
GSSAPI Key Exchange for 4.4p1
...4.4p1. This patch adds RFC4462 compatibility to OpenSSH, along with adding additional GSSAPI support that is yet to make it into the main tree. The patch implements: *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. This can be enabled through the GSSAPIKeyExchange option on both client and server (bugzilla.mindrot.org #1242) *) Support for the null host key type *) Support for CCAPI caches on Mac OS X (bugzilla.mindrot.org #1245) *) Don't penalise the client for authentication failures caused by server misconfiguration (b...
2014 Jul 23
1
samba4 passwordless ssh
hi all i have samba4 ad setup and working, i am currently trying to set up passwordless ssh on my client servers, i have read this page https://wiki.samba.org/index.php/Authenticating_other_services_against_AD i have a properly configured krb5.conf file, i have a keytab from the samba dc and i can kinit and obtain a valid ticket. the only thing i have not done is to join my client which is a
2016 Nov 09
6
[Bug 2637] New: GSSAPIStrictAcceptorCheck should default to 'yes'
...bugs at mindrot.org Reporter: tomas.kuthan at oracle.com When GSSAPIStrictAcceptorCheck is not explicitely specified, the default value should be yes. It is documented in sshd_config(5) this way and it preserves original behavior. Also GSSAPIStrictAcceptorCheck=no interacts poorly with GSSAPIKeyExchange, where it make the server willing to negotiate GSS-API key exchange, although no keytab was provided. -- You are receiving this mail because: You are watching the assignee of the bug.
2019 Oct 29
2
Samba Replication problem between two DCs
I'm pretty sure this is a resolving problem. Can you verify this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record Especialy these : for both guids and cross check if from both servers. host -t CNAME 50507d18-c8ee-4ef4-bbda-4d0d9bc31caa._msdcs..... Can you post from both server. /etc/hosts /etc/resolv.conf host servername host fqdn host servername @dns othere
2020 Jul 13
0
Authentication with trusted credentials
...ing : AllowGroups lin-allow-ssh win-allow-ssh Windows users in win-allow-ssh Linux users lin-allow-ssh ( in my case only Linux admins ) The windows group every windows user want to give access to the server. And did you enable kerberos auth in sshd. # GSSAPI options GSSAPIAuthentication yes GSSAPIKeyExchange yes Should be sufficent. Now, if you followed Stephans guide, and if i would make a guess. Is nsswitch configured? /etc/nsswitch.conf ? Im also assuming your using ubuntu or debian, if so, Running this give us all we need. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-d...
2013 Jan 16
2
HostKey Management
Hi, As far as I can tell, when working in an environment with many servers, there seem to be several ways for your client to authenticate the HostKeys of each: 1) Set StrictHostKeyChecking=no, and hope you don't get MITM'd the first time you connect to a server. 2) Use SSHFP records (which generally requires you to have DNSSEC fully deployed to be meaningful compared to #1, I think?)