similar to: OpenSSH+GSSAPI & HP/UX 11i...

I have a freshly installed FreeBSD 6.0-BETA1 system, which comes with Heimdal & OpenSSH w/GSSAPI enabled (version 4.1p1 FreeBSD-20050605) Most of the servers I connect to have OpenSSH w/GSSAPI enabled but they use MIT Kerberos (1,3.x and 1.4.x) Now, I can use ticket authentication between all systems where the libraries are all the same (Heimdal or MIT), but trying to use, for example,

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work

I'm trying to compile Samba 3.0.4 with Active Directory support on OpenBSD 3.5, using the native Kerberos libraries (which happens to be Heimdal 0.6). Unfortunately, ./configure isn't working right. If anyone can help me figure out what the problem is, i would appreciate it. First a bit of info on OpenBSD's Kerberos path layout, in case it matters: /usr/libexec - daemons

With openssh-snap-20040212 the configure.ac when it finds a krb5-config file, does not call the AC_DEFINE(GSSAPI) or AC_CHECK_HEADER(gssapi.h...) This means that GSSAPI and HAVE_GSSAPI_H are not defined, and thus GSSAPI is not built. If I rename the kerberos provided krb5-config file and run configure, the old method of finding the Kerberos lib and include directories is used and OpenSSH

I'm trying to get gssapi-with-mic to work but the enabled field in the method struct is disabled I.e. The gssapi-with-mic enable field s not enabled in in the *method struct; it fails at: if (authmethod_is_enabled(method)) in the authmethod_is_enabled(method) function call using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2) Questiion - what enables gssapi-with-mic? Thanks tedc

21 jun 2014 the version numbers changed (samba-4.1.8), but the problem remains exactly the same: waf configure continues to break at krb5. frank smith 31 may 2014 greetings, in the (relatively distant) past, i several times downloaded, built, and ran the then-current version of samba with little to no problem. i recently experienced similar successful results with samba-3.6.23. i

Darren, We have systems which are multihomed for virtualisation, but run only one sshd. You can connect to any IP-address and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way

Trying to compile OpenSSH with Kerberos5 fails. checking whether we are using Heimdal... no checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking gssapi_krb5.h usability... no checking gssapi_krb5.h presence... no

Hi, I am trying to impliment OpenSSH v2.9p1 with the Krb5/GSSAPI patches at: http://www.sxw.org.uk/computing/patches/openssh-2.9p1-gssapi.patch On a FreeBSD 4.3-STABLE system (with both the integrated Heimdal libs and the MIT Krb5 package from ports intstalled). I patched the src tree, reconfigured, recompiled, installed, and it works - except for Krb5 passwords or Krb5 tickets. And I really

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

Is there a way to run sshd on a windows 2000 server and have ssh clients authenticate to it using domain level authentication? Mike

Hi, Would it be possible to make a change in the configure file to search for gssapi.h in <kerberosV/gssapi.h> if it fails to find it in <gssapi/gssapi.h>? That would allow to compile dovecot with gssapi easily on OpenBSD without patching it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186

In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets. Meanwhile it is entirely likely that on the

Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash shows that my tickets ARE forwardable. Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and OpenSSH 4.0p1. I've created two AD accounts, and extracted keys mapped to "host/hostname.domainname.com at REALM.COM" and

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm pleased to (finally) announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate the user to the server, and continues to use SSH host keys to authenticate the server to the

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

I'm trying to compile Samba 3.0.4 with Active Directory support on OpenBSD 3.5, using the native Kerberos libraries (which happens to be Heimdal 0.6). Unfortunately, ./configure isn't working right. I think i'm missing a switch or something. If anyone can help me figure out what the problem is, i would really appreciate it. First a bit of info on OpenBSD's Kerberos path

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462.

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Upgrading to the 3.8.x versions of OpenSSH appears to have broken support for Win2K KDC's. Win2K supports gssapi just fine, but the new gssapi-with-mic does not appear to work. I was able to use the old 3.6.x versions with Kerberos authentication, and the newer 3.7.x versions with gssapi authentication, but 3.8.x does not seem to work at all. The mitm patch provided for 3.8p1 does work, but