5 votes

dax90 avatar

Comment configurer Openssh et Mit kerberos (de Windows à un serveur linux) ?

Demandé el 23 de Septembre, 2019
Quand la question a-t-elle été
2502 affichage
Nombre de visites la question a
1 Réponses
Nombre de réponses aux questions
Résolu
Situation réelle de la question

J'ai besoin de me connecter via openssh depuis Windows à un serveur linux en utilisant un ticket kerberos. J'ai obtenu le fichier bin à partir de : https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi

Par l'intermédiaire de l'interface utilisateur de mon entreprise, j'obtiens le ticket en utilisant MIT Kerberos. Si j'exécute

klist

voici le résultat

Ticket cache: FILE:C:\Users\Test\....\host.domain.subdomain.local
Default principal: USER@REALM

Valid starting     Expires            Service principal
09/23/19 16:18:53  09/23/19 19:18:53  krbtgt/REALM@REALM
09/23/19 16:18:56  09/23/19 19:18:53  krbtgt/DOMAIN@REALM
09/23/19 16:18:56  09/23/19 19:18:53  host/host.domain.subdomain.local@DOMAIN

Avec Putty, je n'ai aucun problème pour me connecter. J'ai donc essayé avec openssh binary :

ssh -Kvvv USER@HOST

où se trouve le fichier de configuration

Host HOST
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes

J'accède au serveur mais il me demande le mot de passe et n'envoie pas le ticket kerberos.

Et voici le journal

OpenSSH_for_Windows_7.9p1, LibreSSL 2.6.4
debug1: Reading configuration data C:\\Users\\Test/.ssh/config
debug1: C:\\Users\\Test/.ssh/config line 7: Applying options for HOST
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolving HOST port 22
debug2: ssh_connect_direct
debug1: Connecting to HOST [ip] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_rsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_dsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ecdsa-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_ed25519-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/Test/.ssh/id_xmss-cert.pub error:2
debug1: identity file C:\\Users\\Test/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to HOST:22 as USER
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from HOST
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: [..]
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [...]
debug2: host key algorithms: [...]
debug2: ciphers ctos: [...]
debug2: ciphers stoc: [...]
debug2: MACs ctos: [...]
debug2: MACs stoc: [...]
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [...]
debug2: host key algorithms: [...]
debug2: ciphers ctos: [...]
debug2: ciphers stoc: [...]
debug2: MACs ctos: [...]
debug2: MACs stoc: [...]
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: [...]
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from HOST
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: hostkeys_foreach: reading file "C:\\Users\\Test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from IP
debug3: Failed to open file:C:/Users/Test/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host HOST is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\Test/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\Test/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
+-----------------------------------------------------------------+
+-----------------------------------------------------------------+
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: GSS_S_FAILURE
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\Test/.ssh/id_rsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_dsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\Test/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\Test/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\Test/.ssh/id_xmss
debug3: no such identity: C:\\Users\\Test/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
USER@HOST's password:

EDIT : Si je me connecte avec plink, tout fonctionne

plink -v hostPuttyAlias
Looking up host HOST for SSH connection
Connecting to ip port 22
We claim version: SSH-2.0-PuTTY_Release_0.72
Remote version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256 host key, but we don't know it
Host key fingerprint is:
ssh-ed25519 255 [...]
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Using username user.
-- Pre-authentication banner message from server: ----------------------------
Using GSSAPI from GSSAPI64.DLL
Trying gssapi-with-mic...
Attempting GSSAPI authentication
-- End of banner message from server -----------------------------------------
GSSAPI authentication initialised
GSSAPI authentication initialised
GSSAPI authentication loop finished OK
Access granted
Access granted. Press Return to begin session.
Demandé el 23 de Septembre, 2019 par dax90

Réponse

Trop de publicités?

3voto

Cpt.Whale avatar
Cpt.Whale Points 287

J'ajoute une réponse tardive car cette question est toujours l'un des premiers résultats de Google pour la connexion à un serveur OpenSSH SSH / SFTP / SCP via kerberos.

La réponse courte est : essayez ssh -K MyServer et le tour est joué ! La façon actuelle de procéder dans Windows 10/Windows Server nécessite seulement :

  • Activer les outils du client openssh, ou les télécharger (si nécessaire).
  • Une version récente de openssh_for_windows. J'utilise ici la version 8.1p1.

  • Lancez le terminal que vous souhaitez utiliser comme l'utilisateur distant s'il est différent de vos informations d'identification actuelles.

    Check if the openssh tools are present:

    Get-WindowsCapability -online -name OpenSSH.Client* | Select State

    State : NotPresent

    You may or may not need to restart after enabling the client

    Add-WindowsCapability -Online -Name OpenSSH.Client

    Online : True RestartNeeded : False

    Make sure you're running as the correct user:

    PS C:> whoami domain\MyUser

Vous pouvez alors vous connecter directement via kerberos. Voici le débogage réduit de ma connexion :

PS C:\> ssh -Kv my-server.domain.tld
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to my-server.domain.tld [10.0.0.1] port 22.
debug1: Connection established.
debug1: Authenticating to my-server.domain.tld:22 as 'MyDomain\\MyUser'
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
[MyUser@MyServer ~]$

Voilà !

Plus de détails :

Une connexion réussie devrait créer un nouveau ticket kerberos pour vous sur cet hôte si vous n'en avez pas. Notez que ces tickets sont marqués comme

  • pre_authent Cela signifie que vous et le serveur SSH devez être en mesure de vous connecter à un contrôleur de domaine AD lors de l'établissement de la connexion.

  • forwardable qui permet la transmission de l'authentification à l'adresse Server: sans qu'il soit nécessaire de retaper le mot de passe.

    trimmed klist output on windows after connecting successfully:

    PS C:> klist

    0> Client: MyUser @ DOMAIN.TLD

        Server: krbtgt/DOMAIN.TLD @ DOMAIN.TLD
    Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize

    1> Client: MyUser @ DOMAIN.TLD

        Server: host/myserver @ DOMAIN.TLD
    Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize

Sachez que ces tickets ne vous permettront pas de sauter à nouveau sans créer manuellement un nouveau ticket, par exemple :

# MyLaptop -> MyServer -> MySecureServer

# double-hop prompts for password, fails
PS C:\MyLaptop\> ssh -K MyServer
[myuser@myserver ~]$ ssh -k MySecureServer
myuser@mysecureserver's password:

# Generate a new ticket manually, and success:
PS C:\MyLaptop\> ssh -K MyServer
[myuser@myserver ~]$ kinit
Password for myuser@DOMAIN.TLD:
[myuser@myserver ~]$ ssh -k MySecureServer
[myuser@mysecureserver ~]$

La même règle s'applique aux PS-Sessions.

Répondu el 19 de Mai, 2021 par Cpt.Whale (287 Points )

Questions en vedette

Top Tags

Dans notre réseau

SistemesEz.com

SystemesEZ est une communauté de sysadmins où vous pouvez résoudre vos problèmes et vos doutes. Vous pouvez consulter les questions des autres sysadmins, poser vos propres questions ou résoudre celles des autres.

Powered by:

Yandex
X