README: OpenSSH with GSSAPI and Kerberos v3.9p1
Table of Contents
=====================================================================
OpenSSH with GSSAPI and Kerberos
November 2004
=====================================================================
Copyright (c) 2004 Certified Security Solutions, Inc.
This document contains:
1. Information describing this package.
2. System requirements for operating the package.
3. Installation information.
4. Instructions for configuring interoperability with an existing
Microsoft Windows 2000 domain.
5. Copyright information.
This utility is intended for operation on Solaris versions 5.5.1 and
above, HP-UX 10.20 and above and Red Hat Linux versions 7.3 and above.
======================================================================
Description
======================================================================
This package contains binaries for Solaris, HP-UX and Linux for
OpenSSH version 3.9p1, with GSSAPI functionality enabled. They were
linked with the MIT krb5-1.3.5 Kerberos 5/GSSAPI distribution, and
OpenSSL 0.9.7e. The source code for all of these packages is
available from each project's web page. See links section below.
The SSH server (sshd) in this package interoperates with the Certified
Security Solutions GSSAPI and Kerberos 5 enhanced version of PuTTY
(see Links section, below), an SSH client for Windows, as well as
other SSH clients. Using these enhanced versions of the PuTTY client
and the OpenSSH server, a user logged in to a Windows 2000 domain can
transparently authenticate to a UNIX or Linux SSH server using his/her
Windows 2000 credentials.
OpenSSH for Solaris and HP-UX has been built with Pseudo Random
Number Generator Daemon (prngd) support. Prngd compensates for the
lack of /dev/random device support on Solaris 5.5.1 - Solaris 5.8
and HP-UX 10.20. The OpenSSH binaries for Solaris and HP-UX in
this distribution will not function properly without prngd running.
The /opt/openssh-gssapi/etc/rc.sshd init script present in this
distribution starts both prngd and sshd by default, and its use is
recommended for starting sshd.
======================================================================
System Requirements
======================================================================
In order to utilize this package, you need the following:
- An existing Windows 2000 Active Directory server, and at least
one Windows 2000 client that is a member of that domain.
- The GSSAPI-enhanced PuTTY package installed on the Windows 2000
client system.
- A Solaris, HP-UX or Linux server system to install and run this
SSH package. The installer requires that Perl is installed on the
system in order to function.
- The adkadmin utility installed on the Solaris, HP-UX or Linux
server running the SSH package. (Or another method for extracting
a key from the Windows 2000 Active Directory server and
installing it on the Solaris or Linux server.)
Note: OpenSSH is supported against both Windows 2000 Active Directory
and Windows 2003 Active Directory. In this readme, "Windows 2000" is
used generically to refer to either version. Similarly, PuTTY is
supported on several Windows versions, including Windows 2000 and XP.
In this readme, "Windows 2000" is used generically to refer to any
version.
======================================================================
Installing the Files
======================================================================
Download:
Download the openssh binary distribution for your operating system.
Solaris:
openssh-3.9p1-gssapi-binary-solaris.tar.Z
HP-UX:
openssh-3.9p1-gssapi-binary-hpux.tar.Z
Linux:
openssh-3.9p1-gssapi-binary-linux.tar.Z
Unpack:
Copy the binary package to a temporary work area, and unpack:
cp openssh-3.9p1-gssapi-binary-solaris.tar.Z /tmp
cd /tmp
zcat openssh-3.9p1-gssapi-binary-solaris.tar.Z | tar xf -
Install:
su to root, and execute the installation script
su -
cd /tmp/openssh-3.9p1-gssapi-binary-solaris
./install
The installation destination directory is "/opt/openssh-gssapi".
During this installation, an empty directory named "/var/empty" is
created. The user named "sshd" and the group named "sshd" are also
created.
Run:
After the installation has completed, the rc.sshd init script,
located in the /opt/openssh-gssapi/etc directory, is executed to
start sshd, which can now accept login requests. However,
additional configuration is required before GSSAPI authentication
will function. Refer to the "Configuration" section below for
additional instructions.
Note: it may be necessary to start sshd with this command line
to debug configuration issues:
/opt/openssh-gssapi/etc/rc.sshd stop sshd
/opt/openssh-gssapi/sbin/sshd -ddd
Note: afterwards, to resume normal sshd operation, execute
this command:
/opt/openssh-gssapi/etc/rc.sshd start sshd
Note: A configuration entry must be added to /etc/inittab
or an init file added to /etc/rc.d in order to start sshd
at boot time. Below is an example /etc/inittab entry
for a system with an initdefault level of 3:
hd:3:wait:/opt/openssh-gssapi/etc/rc.sshd start > /dev/console 2>&1
======================================================================
Configuration
======================================================================
After installation, ssh and sshd will function. However, to use GSSAPI
authentication, further configuration is required.
Configuration file additions:
During the OpenSSH package installation, the sshd_config and
ssh_config files, located in the /opt/openssh-gssapi/etc
directory, were modified with the following addition:
GSSAPIAuthentication yes
This option must be enabled in order for GSSAPI authentication
to function.
Create a Kerberos configuration file:
Copy the sample configuration file, below, into the /etc/krb5.conf
directory. Modify the /etc/krb5.conf file to reflect your
default_realm, kdc, admin_server, and kpasswd_server values.
Note: The "YOURDOMAIN" value must be changed to the domain name of
your Windows 2000 domain.
Create a Kerberos service principal in Active Directory and extract
it to a key table on your Linux, HP-UX or Solaris server:
css_adkadmin -p Administrator \
-q "ank -k host/unixserver.example.com"
To enable the ability to forward Kerberos credentials to a Linux,
HP-UX or Solaris server, run this command:
css_adkadmin -p Administrator \
-q "modprinc -force +trusted_for_deleg host/unixserver.example.com"
Note: You must download, install and configure the adkadmin
utility prior to performing these steps.
Sample Kerberos Configuration File
==================================
[libdefaults]
default_realm = YOURDOMAIN
[realms]
YOURDOMAIN = {
kdc = domain-controller.example.com
admin_server = domain-controller.example.com
kpasswd_server = domain-controller.example.com
}
[domain_realm]
.example.com = YOURDOMAIN
Note: Replace ".example.com" with your DNS domain name.
PuTTY Configuration
===================
Using an installed PuTTY client containing the GSSAPI extensions,
perform the following configuration steps to utilize GSSAPI
authentication with OpenSSH.
+-Session
| Host name: Specify name of UNIX server configured above
| Protocol: Click SSH
+-Terminal
+-Window
--Connection
| Auto-login username: Specify UNIX username used during login
|-Telnet
|-Rlogin
--SSH
| Preferred SSH protocol version: Click version 2
|-Auth
| Authentication methods
| Attempt GSSAPI/Kerberos 5 Authentication: Check on
| Authentication parameters
| Allow Kerberos 5 ticket forwarding: Check on
After configuring the above PuTTY parameters, click on Session again,
specify a "Saved Sessions" name, and click the Save button.
Warning: You must specify a saved session name, and save the
configuration settings in order to load the settings for a
subsequent session.
You are now ready to establish an SSH connection to the UNIX server.
Click the session name used to save the configuration above, click
Load, then click Open.
Kerberos 5 Authentication with the SSH 1 Protocol
=================================================
Note: Kerberos 5 Authentication with the SSH 1 Protocol
is no longer supported in OpenSSH as of release 3.7p1.
This functionality was removed from OpenSSH when GSSAPI
authentication was added, since Kerberos 5 is a supported
authentication mechanism of GSSAPI.
======================================================================
Known Issues
======================================================================
Failed initializing GSSAPI context
The standard clock skew error may not appear during SSH GSSAPI
authentication when the time on the target UNIX host precedes
the time on the Windows server by the allowed clock skew value,
typically 5 minutes.
Error: "protocol error: rcvd type 61"
The standard clock skew error may not appear during SSH GSSAPI
authentication when the time on the target UNIX host is out of sync
with the time on the Windows server. The error may instead be:
Server sent disconnect message type 2
(SSH_DISCONNECT_PROTOCOL_ERROR): "protocol error: rcvd type 61"
This error is known to occur on Windows 2000 clients with SP4
installed.
OpenSSH session disconnect from HP-UX host with large number of PTYs
When a connection to an HP-UX host is attempted, the target openssh
server may terminate the connection during authentication (with or
without GSSAPI) when the HP-UX host has a large (non-default)
number of PTYs configured.
======================================================================
Links
======================================================================
OpenSSH:
http://www.openssh.com/portable.html
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.9p1.tar.gz
OpenSSL:
openssl-0.9.7e.tar.gz:
http://www.openssl.org/source/openssl-0.9.7e.tar.gz
zlib:
zlib-1.1.4.tar.gz (Solaris only)
http://www.gzip.org/zlib/
MIT Kerberos:
http://web.mit.edu/kerberos/dist/index.html
http://web.mit.edu/kerberos/www/krb5-1.3/index.html#fetching
PuTTY:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/
Certified Security Solutions GSSAPI patch for PuTTY:
http://www.css-security.com/cgi-bin/dnld_list.pl
======================================================================
Licensing terms and copyrights
======================================================================
Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---
This file is part of the OpenSSH software.
The licences which components of this software fall under are as
follows. First, we will summarize and say that all components
are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1)
* Copyright (c) 1995 Tatu Ylonen (ylo@cs.hut.fi), Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
* copyrights held by third parties, and the software includes parts that
* are not under my direct control. As far as I know, all included
* source code is used in accordance with the relevant license agreements
* and can be used freely for any purpose (the GNU license being the most
* restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of
these restrictively licenced software components which he talks about
have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
2)
The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
Comments in the file indicate it may be used for any purpose without
restrictions:
* COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
* code or tables extracted from it, as desired without restriction.
3)
The 32-bit CRC compensation attack detector in deattack.c was
contributed by CORE SDI S.A. under a BSD-style license.
* Cryptographic attack detector for ssh - source code
*
* Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
*
* All rights reserved. Redistribution and use in source and binary
* forms, with or without modification, are permitted provided that
* this copyright notice is retained.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
* CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
* SOFTWARE.
*
* Ariel Futoransky (futo@core-sdi.com)
* (http://www.core-sdi.com)
4)
ssh-keygen was contributed by David Mazieres under a BSD-style
license.
* Copyright 1995, 1996 by David Mazieres (dm@lcs.mit.edu).
*
* Modification and redistribution in source and binary forms is
* permitted provided that due credit is given to the author and the
* OpenBSD project by leaving this copyright notice intact.
5)
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
and Paulo Barreto is in the public domain and distributed
with the following license:
* @version 3.0 (December 2000)
*
* Optimised ANSI C code for the Rijndael cipher (now AES)
*
* @author Vincent Rijmen (vincent.rijmen@esat.kuleuven.ac.be)
* @author Antoon Bosselaers (antoon.bosselaers@esat.kuleuven.ac.be)
* @author Paulo Barreto (paulo.barreto@terra.com.br)
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6)
One component of the ssh source code is under a 4-clause BSD license,
held by the University of California, since we pulled these parts from
original Berkeley code. The Regents of the University of California
have declared that term 3 is no longer enforceable on their source code,
but we retain that license as is.
* Copyright (c) 1983, 1990, 1992, 1993, 1995
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
7)
Remaining components of the software are provided under a standard
2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Per Allansson
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
