Hi all, Im trying to do kind of SSO, basically, i want to ssh a remote linux machine, using openssh/putty (what version), without password prompt, just with kerberos ticket. I have the following scenario: Windows Server 2003 R2 (with Unix Services installed), its the DC of my domain Linux OpenSUSE 11.2, i configured it to do krb5/ldap autenticantion against my DC, its working fine, i can login remotely and localy with my AD credentials and its working fine, as you can see bellow: login as: mmezzanotti Using keyboard-interactive authentication. Password: Last login: Wed Dec 30 14:00:19 2009 from localhost Have a lot of fun... mmezzanotti@os112:~> ls bin Documents Music Public Templates Desktop Download Pictures public_html Videos mmezzanotti@os112:~> klist Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx Default principal: mmezzanotti@xxxxxxxxxxxxx Valid starting Expires Service principal 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@xxxxxxxxxxxxx renew until 01/05/10 13:58:36 mmezzanotti@os112:~> this linux machine in on my AD domain and i have a valid krb ticket. im trying to use ssh to connect to this server, but i want to use my krb ticket, not type password. i have enabled gss api options in my sshd.config. # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes restarted opensshd but it doesnt work: mmezzanotti@os112:~> ssh -vvv mmezzanotti@xxxxxxxxxxxxxxxxxxx OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to os112.vmwarelab.int [192.168.86.14] port 22. debug1: Connection established. debug1: identity file /home/mmezzanotti/.ssh/id_rsa type -1 debug1: identity file /home/mmezzanotti/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2 debug1: match: OpenSSH_5.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 130/256 debug2: bits set: 513/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/mmezzanotti/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'os112.vmwarelab.int' is known and matches the RSA host key. debug1: Found key in /home/mmezzanotti/.ssh/known_hosts:3 debug2: bits set: 512/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/mmezzanotti/.ssh/id_rsa ((nil)) debug2: key: /home/mmezzanotti/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-with-mic,keyboard-interactive debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/mmezzanotti/.ssh/id_rsa debug3: no such identity: /home/mmezzanotti/.ssh/id_rsa debug1: Trying private key: /home/mmezzanotti/.ssh/id_dsa debug3: no such identity: /home/mmezzanotti/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) Received disconnect from 192.168.86.14: 2: Too many authentication failures for mmezzanotti bellow the lines about gssapi auth: debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug2: we did not send a packet, disable method anyone could help me? another question, i downloaded a lot of patched putty clients with gssapi support (to use on windows machines), what is the correct one? thank you, Marcello -- Marcello Mezzanotti <marcello.mezzanotti@xxxxxxxxx> http://blogdomarcello.wordpress.com Information Security UNIX / Linux / *BSD