How to set Openssh and Mit kerberos (from windows to linux server)?

ssh kerberos mitkerberos

I need to connect through openssh from windows to a linux server using a kerberos ticket. I got the bin file from: https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi

Through my company login UI, I obtain the ticket using MIT Kerberos. If I Run

klist

this is the output

Ticket cache: FILE:C:\Users\Test\....\host.domain.subdomain.local
Default principal: USER@REALM

Valid starting     Expires            Service principal
09/23/19 16:18:53  09/23/19 19:18:53  krbtgt/REALM@REALM
09/23/19 16:18:56  09/23/19 19:18:53  krbtgt/DOMAIN@REALM
09/23/19 16:18:56  09/23/19 19:18:53  host/host.domain.subdomain.local@DOMAIN

With Putty I have no problem to connect. So I tried with openssh binary:

ssh -Kvvv USER@HOST

where the config file is

Host HOST
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes

I reach the server but it asks me the password and doesn't send the kerberos ticket

And this is the log

OpenSSH_for_Windows_7.9p1, LibreSSL 2.6.4
debug1: Reading configuration data C:\\Users\\Test/.ssh/config
debug1: C:\\Users\\Test/.ssh/config line 7: Applying options for HOST
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolving HOST port 22
debug2: ssh_connect_direct
debug1: Connecting to HOST [ip] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to HOST:22 as USER
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from HOST
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: [..]
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [...]
debug2: host key algorithms: [...]
debug2: ciphers ctos: [...]
debug2: ciphers stoc: [...]
debug2: MACs ctos: [...]
debug2: MACs stoc: [...]
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [...]
debug2: host key algorithms: [...]
debug2: ciphers ctos: [...]
debug2: ciphers stoc: [...]
debug2: MACs ctos: [...]
debug2: MACs stoc: [...]
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: [...]
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from HOST
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from IP
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host HOST is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\Test/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
+-----------------------------------------------------------------+
+-----------------------------------------------------------------+
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: GSS_S_FAILURE
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\Test/.ssh/id_rsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_dsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\Test/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_xmss
debug3: no such identity: C:\\Users\\Test/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
USER@HOST's password:

EDIT: If I connect with plink everything works

plink -v hostPuttyAlias
Looking up host HOST for SSH connection
Connecting to ip port 22
We claim version: SSH-2.0-PuTTY_Release_0.72
Remote version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256 host key, but we don't know it
Host key fingerprint is:
ssh-ed25519 255 [...]
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Using username user.
-- Pre-authentication banner message from server: ----------------------------
Using GSSAPI from GSSAPI64.DLL
Trying gssapi-with-mic...
Attempting GSSAPI authentication
-- End of banner message from server -----------------------------------------
GSSAPI authentication initialised
GSSAPI authentication initialised
GSSAPI authentication loop finished OK
Access granted
Access granted. Press Return to begin session.

I'm adding a late answer since this is question is still one of the top google results for connecting to an OpenSSH SSH / SFTP / SCP server via kerberos.

The short answer is try ssh -K MyServer, and be done! The current way to do this in Windows 10/Windows Server only requires:

  • Enabling the openssh client tools, or downloading them (if needed).
  • A recent version of openssh_for_windows. I'm using 8.1p1 here.
  • Running whatever terminal you want to use as the remote user if it's different from your current credentials.
# Check if the openssh tools are present:
Get-WindowsCapability -online -name OpenSSH.Client* | Select State

State : NotPresent
 
# You may or may not need to restart after enabling the client
Add-WindowsCapability -Online -Name OpenSSH.Client

Online        : True
RestartNeeded : False

# Make sure you're running as the correct user:
PS C:\> whoami
domain\MyUser

Then you can connect via kerberos directly. Here's the trimmed-down debug of my connection:

PS C:\> ssh -Kv my-server.domain.tld
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to my-server.domain.tld [10.0.0.1] port 22.
debug1: Connection established.
debug1: Authenticating to my-server.domain.tld:22 as 'MyDomain\\MyUser'
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
[MyUser@MyServer ~]$

Voilà!

More Details:

A successful connection should create a new kerberos ticket for you to that host if you don't have one. Note that these get flagged as

  • pre_authent, meaning you and the SSH server need to be able to connect to an AD domain controller while establishing the connection.
  • forwardable, which allows for authentication forwarding to the Server: ID without requiring a password to be typed in again.
# trimmed klist output on windows after connecting successfully:
PS C:\> klist

#0>     Client: MyUser @ DOMAIN.TLD
        Server: krbtgt/DOMAIN.TLD @ DOMAIN.TLD
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize

#1>     Client: MyUser @ DOMAIN.TLD
        Server: host/myserver @ DOMAIN.TLD
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize

Be aware that these tickets won't allow you to jump again without manually creating a new ticket, e.g.:

# MyLaptop -> MyServer -> MySecureServer

# double-hop prompts for password, fails
PS C:\MyLaptop\> ssh -K MyServer
[myuser@myserver ~]$ ssh -k MySecureServer
myuser@mysecureserver's password:

# Generate a new ticket manually, and success:
PS C:\MyLaptop\> ssh -K MyServer
[myuser@myserver ~]$ kinit
Password for [email protected]:
[myuser@myserver ~]$ ssh -k MySecureServer
[myuser@mysecureserver ~]$

The same rule applies to PS-Sessions.

Related

Broadcom NIC stays down in iPXE
Javamail using Exchange as relay
How can I add a trailing slash to a virtual host?
command line utility for linux to decode SCSI CDB
Is it possible to host one TXT record for a domain on a different server, and leave all of the other DNS information intact on the first server?
How to understand the "A subnet Example"?
How to upgrade an Android project to Java 11
Get higher granularity for a list while setting 0 to the corresponding element in the other list for each new point
Same material different opacity
How can I disable content elements in typo3 9.5?
Bootstrap Navbar Dropdown Menu Items Right
How can I reset my terminal in a GNU screen session after accidentally printing binary garbage?