[Freeipa-users] authentication with latest putty fails

Han Boetes hboetes at gmail.com
Fri Jan 4 15:56:18 UTC 2013 

Your information about the quest putty version seems to be outdated. ;-)

Quest Softare no longer maintains recent releases of PuTTY. To obtain the
latest stable release of PuTTY please goto PuTTY Download Page
* The functionality that was provided by Quest Software's PuTTY packages
have now been included in the latest releases of PuTTY, making Quest PuTTY
obsolete.


I'm testdriving the centrify version at the moment and...

~/debug% cat ~/out
Using Kerberos authentication
Using principal fh at REALM
Got host ticket host/test-server-ipa.domain at REALM
login as fh at REALM

Kerberos authentication failed.  Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

fh at REALM@test-server-ipa's password:
Last login: Fri Jan  4 14:51:25 2013 from ipa-w7.domain
[fh at test-server-ipa ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465
Default principal: fh at REALM

Valid starting     Expires            Service principal
01/04/13 14:52:49  01/05/13 14:52:49  krbtgt/REALM at REALM
[fh at test-server-ipa ~]$

That's does provide a valid ticket but not a passwordless login. Actually I
have to enter a pass twice here!





On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose <sbose at redhat.com> wrote:

> On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> > You are absolutely right; the credentials aren't forwarded.
> >
> > I have enabled the option "allow gssapi credential delegation". So one
> > would expect that it should work.
> >
> > I just installed the mit kerberos tools and I can see all the options and
> > forwarding tickets is allowed according to the interface. Also putty is
> now
> > using the mit kerberos dll; gssapi32.dll and still I get the same
> results.
> >
> > So the proper question is: how do I get putty to really forward the
> > credentials?
>
> This might be an issue with your putty version. Can you try Quest's
> version of putty http://rc.quest.com/topics/putty/ , if you are not
> already using it?
>
> HTH
>
> bye,
> Sumit
>
> >
> >
> > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
> >
> > > Han Boetes wrote:
> > >
> > >> I've set up windows with the instructions given over here:
> > >>
> > >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<
> http://freeipa.com/page/Windows_authentication_against_FreeIPA>
> > >>
> > >> And all seems to be working fine. After I run klist I see valid
> tickets:
> > >>
> > >> Microsoft Windows [Version 6.1.7601]
> > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> > >>
> > >> C:\Users\fh>klist
> > >>
> > >> Aktuelle Anmelde-ID ist 0:0x153b25
> > >>
> > >> Zwischengespeicherte Tickets: (1)
> > >>
> > >> #0>     Client: fh @ REALM
> > >>          Server: krbtgt/REALM @ REALM
> > >>          KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> > >>          Ticketkennzeichen 0x40e10000 -> forwardable renewable initial
> > >> pre_authen
> > >> t name_canonicalize
> > >>          Startzeit: 1/4/2013 14:03:11 (lokal)
> > >>          Endzeit:   1/5/2013 14:03:11 (lokal)
> > >>          Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> > >>          Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> > >>
> > >>
> > >> I can do a passwordless login with the latest putty with kerberos
> > >> authentication,  I disabled password and key logins. And then on the
> > >> host I checked klist and got this:
> > >>
> > >> [fh at test-server-ipa ~]$ klist
> > >> klist: No credentials cache found (ticket cache
> > >> FILE:/tmp/krb5cc_1554800011)
> > >>
> > >> sudo also doesn't work. To test the setup I did the same from linux
> host
> > >> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> > >> -d output difference and the only difference I see is:
> > >>
> > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> > >> -debug1: Received some client credentials
> > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> > >> +debug1: Got no client credentials
> > >>
> > >> Where .73 is the linux host and .56 is the windows host.
> > >>
> > >> What am I missing here?
> > >>
> > >
> > > The problem isn't that authentication fails, it is that the credentials
> > > aren't forwarded, right?
> > >
> > > Does putty support this?
> > >
> > > rob
> > >
> > >
> >
> >
> > --
> >
> >
> >
> > # Han
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 



# Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130104/724b0124/attachment.htm>

More information about the Freeipa-users mailing list