Can't ssh using GSSAPI (Kerberos auth method) using Cygwin?

4
votes

Why can't I ssh to a host with Kerberos ticket, using Cygwin? Here is my config:

    $ cat .ssh/config
Host *

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Here is what I get on ssh attempt:

$ ssh -v [email protected]
OpenSSH_3.5p1f3, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
2420: debug1: Reading configuration data /home/user/.ssh/config
2420: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2420: debug1: ssh_connect: needpriv 0
2420: debug1: Connecting to host.net [xx.xx.xx.xx] port 22.
2420: debug1: Connection established.
2420: debug1: identity file /home/atanasdichev/.ssh/identity type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_rsa type -1
2420: debug1: identity file /home/atanasdichev/.ssh/id_dsa type -1
2420: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
2420: debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
2420: debug1: Enabling compatibility mode for protocol 2.0
2420: debug1: Local version string SSH-2.0-OpenSSH_3.5p1f3
2420: debug1: Miscellaneous failure
2420: debug1: Program lacks support for encryption type
2420: debug1: SSH2_MSG_KEXINIT sent
2420: debug1: SSH2_MSG_KEXINIT received
2420: debug1: kex: server->client aes128-cbc hmac-md5 none
2420: debug1: kex: client->server aes128-cbc hmac-md5 none
2420: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
2420: debug1: dh_gen_key: priv key bits set: 119/256
2420: debug1: bits set: 1028/2048
2420: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
2420: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
2420: debug1: Host 'host.net' is known and matches the RSA host key.
2420: debug1: Found key in /home/user/.ssh/known_hosts:1
2420: debug1: bits set: 1000/2048
2420: debug1: ssh_rsa_verify: signature correct
2420: debug1: kex_derive_keys
2420: debug1: newkeys: mode 1
2420: debug1: SSH2_MSG_NEWKEYS sent
2420: debug1: waiting for SSH2_MSG_NEWKEYS
2420: debug1: newkeys: mode 0
2420: debug1: SSH2_MSG_NEWKEYS received
2420: debug1: done: ssh_kex2.
2420: debug1: send SSH2_MSG_SERVICE_REQUEST
2420: debug1: service_accept: ssh-userauth
2420: debug1: got SSH2_MSG_SERVICE_ACCEPT


                ------------- WARNING -------------
                THIS IS A PRIVATE COMPUTER SYSTEM.
                -----------------------------------

        This computer system including all related equipment,
        network devices (specifically including Internet access),
        are provided only for authorized use. All computer systems
        may be monitored for all lawful purposes, including to
        ensure that their use is authorized, for management of the
        system, to facilitate protection against unauthorized
        access, and to verify security procedures, survivability and
        operational security. Monitoring includes active attacks by
        authorized personnel and their entities to test or verify
        the security of the system. During monitoring, information
        may be examined, recorded, copied and used for authorized
        purposes. All information including personal information,
        placed on or sent over this system may be monitored. Uses of
        this system, authorized or unauthorized, constitutes consent
        to monitoring of this system. Unauthorized use may subject
        you to criminal prosecution. Evidence of any such
        unauthorized use collected during monitoring may be used for
        administrative, criminal or other adverse action. Use of
        this system constitutes consent to monitoring for these
        purposes.



2420: debug1: authentications that can continue: publickey,gssapi-with-mic
2420: debug1: next auth method to try is publickey
2420: debug1: try privkey: /home/user/.ssh/identity
2420: debug1: try privkey: /home/user/.ssh/id_rsa
2420: debug1: try privkey: /home/user/.ssh/id_dsa
2420: debug1: no more auth methods to try
2420: Permission denied (publickey,gssapi-with-mic).
2420: debug1: Calling cleanup 0x41c5a0(0x0)

It seems like I never get to try gssapi-with-mic auth method Why is this ? What do I need to specify in the krb5.conf file? Thanks

2
sshcygwinkerberosgssapi

2 Answers

2
votes

OpenSSH needs GSSAPI and libkrb5 libraries for Kerberos support. Windows doesn't provide either, so in order for this to work at all, you will need a Cygwin version of either MIT Kerberos or Heimdal installed, and they will not automatically use credentials acquired by the Windows native Kerberos system; you will need to explicitly use "kinit" to get a Kerberos credential (TGT).

There's no single recipe for what to put in krb5.conf; Kerberos is complex and there are many possibilities -- it depends on your surrounding infrastructure. One very simple starting point might be:

[libdefaults]
    default_realm = FOO.COM
[realms]
FOO.COM = {
    kdc = kdc.foo.com
}

Here your single Kerberos realm is FOO.COM, and a KDC (Kerberos authentication server) for the realm is kdc.foo.com. It's better to let the client can locate the KDC via DNS SRV records, if they're present.

Use kinit to authenticate, then klist to see your credentials.

These messages:

2420: debug1: Miscellaneous failure 2420: debug1: Program lacks support for encryption type

... suggest to me that you may already have some or all of this in place. My initial guess is that you have a TGT, but it uses a session key encryption type which is not supported by the version of Kerberos you have installed (or against which ssh.exe is linked, which might be different). I note that the OpenSSH client version (3.5) is quite old. Windows these days prefers AES-256; perhaps your Kerberos version doesn't support this newer cipher. That's just a guess though; we need more information. Post the output of klist -ef, as well as more verbosity from ssh (-vvv).

0
votes

An old question, but I recently had a similar problem, using Cygwin on Windows 10. I finally got it to work after installing both openssh and krb5-workstation in Cygwin, and having this in my .shh/config:

Host "HostID"
  HostName "HostName"
  User "UserName"
  PreferredAuthentications gssapi-with-mic
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # GSSAPIKeyExchange yes

The final line is an option that was not needed for me, but might be needed in some instances.

Note that Cygwin sometimes defaults to the windows installation of openssh (when present), and sometimes it might be needed to explicitly run /usr/bin/ssh or usr/bin/kinit so that the proper versions are used. For instance, running /usr/bin/kinit -f "UserName"@xxx.com(matching the user name in the config file above), and then /usr/bin/shh "HostID" (matching host-id in config).