search for: gssapistrictacceptorcheck

https://bugzilla.mindrot.org/show_bug.cgi?id=2637 Bug ID: 2637 Summary: GSSAPIStrictAcceptorCheck should default to 'yes' Product: Portable OpenSSH Version: 7.3p1 Hardware: Sparc OS: Solaris Status: NEW Severity: minor Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at m...

>From a security standpoint, if the default keytab (/etc/krb5.keytab) contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck is set to "yes" or "no"? My company uses an internally built OpenSSH package that includes the GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use a "standard" sshd_config file that works for the majority of hosts. Unfortunately, the current...

https://bugzilla.mindrot.org/show_bug.cgi?id=3642 Bug ID: 3642 Summary: GSS treats hostnames case sensitive -> suggestion for docs of GSSAPIStrictAcceptorCheck setting Product: Portable OpenSSH Version: 9.5p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: enhancement Priority: P5 Component: Kerberos support Assignee: unassigned-bugs at mindrot.org...

Hi folks Is there any particular reason why these two great features (thanks Simon!) are not part of the OpenSSH mainstream? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com

...he fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using "no" will, according to the manpage "clients may authenticate against any service key stored in the machine's default store." I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn

The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed for multi-homed (or multi-domained) sites. SSH recently added this enhancement to address this common need: GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If ?yes? then the client must authenticate against the host service on the current hostname. If ?no? then the client may authenticate against any servi...

...ller. I know for that i need a working /etc/krb5.keytab e.g. i have two s4 dc's bob alice i have done the following. I want to connect from bob to alice with the service accounts I added to the following to both of the dcs sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes ssh_config GSSAPIAuthentication yes GSSAPIDelegationCredentials yes GSSAPIKeyExchange yes GSSAPITrustDNS yes After that i created the keytab i know i need an working ticket Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$ I get the ticket with on bob f...

...NNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_keytab=/etc/krb5.keytab And sshd with to following sshd_config: AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no GSSAPIStoreCredentialsOnRekey yes UsePAM yes X11Forwarding yes UseDNS no Subsystem sftp /usr/lib/ssh/sftp-server AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC...

On 02/10/2020 13:24, Jason Keltz via samba wrote: > Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.

...services: db files ethers: db files rpc: db files netgroup: nis *passwd: compat winbindgroup: compat winbind* *#passwd: files winbind#group: files winbind* If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\...

...gt; > netgroup: nis > > > *passwd: compat winbindgroup: compat winbind* > > > > *#passwd: files winbind#group: files winbind* > > > If I use default sshd_config > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > I have: > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) > > d at uc-smlbox20:~$...

Hi friends, I have a one way outgoing trust between SAMBA trusting domain and AD trusted domain. SSH Authentication of a user belonging to the SAMBA domain works properly on a Linux computer which is a member of SAMBA domain. I would like to authenticate a trusted user from the AD domain on the same Linux computer with SSH. Currently it doesn't work. I am able to authenticate trusted accounts

Ah, and it that server allowed to "forward/exchange" that ticket? Try this on both servers and test again. GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no GSSAPIKeyExchange yes Which you need exaclty, i dont now, but i think you need to look in this area.. Think in this : Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable Which are allowed for the server(s)? Greetz, Louis > -----Oorspronkelijk bericht-----...

http://bugzilla.mindrot.org/show_bug.cgi?id=928 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 ------- I'd rather see us move towards just using

...(bugzilla.mindrot.org #1220) *) Support for GSSAPI connections to hosts using a round-robin load balancer, through the GSSAPITrustDNS client option (bugzilla.mindrot.org #1008) *) Support for GSSAPI connections to multi-homed hosts with multiple acceptor names, though the GSSAPIStrictAcceptorCheck server option (bugzilla.mindrot.org #928) *) Tidy GSSAPI code seperation between client and server (bugzilla.mindrot.org #1225) As usual the code is available from http://www.sxw.org.uk/computing/patches/openssh.html Thanks again to everyone who has sent patches and suggestions ove...

...n (#1244) *) Support for GSSAPI connections to hosts behind a round-robin load balancer (#1008) *) Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928) (bugzilla.mindrot.org bug numbers are in brackets) This release fixes a problem where the GSSAPIStrictAcceptorCheck option was always enabled. As usual, the code is available from http://www.sxw.org.uk/computing/ patches/openssh.html In addition, with this release I'm pleased to be able to announce an additional patch which implements cascading credential support. This allows credentials provided vi...

...ate = FILE:%d/.krb5cc_%U I configured krb5.conf with: [libdefaults] default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid} My sshd_config has the following: KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes UseDNS yes *What I noticed:* When I ssh to the host I can see that klist shows my cache file under /tmp: Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK Default principal: jdoe at DOMAIN.NET Valid starting Expires Service principal 06/06/2024 09:06:40 06/07/2024 09:06:40 k...

...ices: ? ? ? db files ethers: ? ? ? ? db files rpc:? ? ? ? ? ? db files netgroup: ? ? ? nis passwd: compat winbind group:? compat winbind #passwd: files winbind #group:? files winbind If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room A...

...it. Use this, i find this is the most easy way to setup squid + kerberos SSO auth and winbind Minimal to install : winbind squid krb5-user You need SSO logins ( ssh ) Enable : in /etc/ssh/sshd_config ( mininal ) # GSSAPI options GSSAPIAuthentication yes #(optional) GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes ( kerberos auth in squid ) kinit Administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads keytab ADD HTTP/$(hostname -f) chmod 640 krb5-squid-HTTP-$(hostname -s).keytab chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab And use this for the squid authenticatio...

Hello All, I haven't seen the answer to this, maybe I am just using the wrong searches. I have two queries related to this: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? 2) I can cause Samba to create certain directories on login, etc.