SSH from Windows to Linux with AD certificates
I have a Windows client machine connected to Active Directory and a Linux server also connected to Active Directory (through PAM w/ LDAP), and I want to be able to do password-less SSH from Windows to Linux. SSH works fine as long as I provide the password for the AD account.
I found the following article which sort of gave me an idea of how it can be done, but I can't get it to work: http://www.moelinux.net/wordpress/?p=95
What I've tried is the following (based on the above article):
- (on the client) Export my AD certificate into a .PFX file
- Convert the .PFX to an id_rsa file using the following command: openssl pkcs12 -in somefile.pfx -out id_rsa
- Strip id_rsa of the password using the following command: openssl rsa -in id_rsa -out id_rsa
- Generate public key using the following command: ssh-keygen -y -f id_rsa > id_rsa.pub
- (on the server) The same routine as above, so I have identical ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub on client and server.
As you might guess, this doesn't work. I still have to input my password. Where might I have gone wrong?
(What I am really trying to accomplish is setting up a way of connecting from Windows to Linux with an AD account, as seamlessly as possible. This seems like the best way to do it, but if there are other ways, I'm open to ideas :-))
Solution 1:
You are confusing X.509 certificates with RSA keys. They are totally different implementations of PKI. Since both your client and SSH server are domain members, though, I'd say forget the keys and use Kerberos/GSSAPI. In /etc/ssh/sshd_config
on the server, you should find a directive, GSSAPIAuthentication
, uncomment it and change the value to yes
. Restart the SSH daemon after saving the change.
For the client, you need the latest PuTTY (0.61) or OpenSSH. PuTTY has GSSAPI enabled by default, so just enter the hostname of the SSH server (IP address will not work) and hit connect.