See bug #4440 for the pre-study results. Time estimate includes: 1) Patching OpenSSH to dynamically load GSSAPI libraries on supported platforms. This probably involves writing a communication layer to load the appropriate libraries if available, and shuffle requests back and forth. This layer could also be used to handle/translate SSPI requests on Windows. 2) Implementing the SSPI layer for Windows 3) Implementing the new functionality in the GUI 4) Documenting the new feature 5) Testing etc
Some helpful links: SSPI/Kerberos Interoperability with GSSAPI: http://msdn.microsoft.com/en-us/library/ms995352.aspx Kerberos/GSSAPI Support in OpenSSH http://www.sxw.org.uk/computing/patches/openssh.html Differences between Heimdal and MIT Kerberos API http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/h5l_mit_apidiff.html Developing with GSSAPI http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/gssapi.html Build and installation instructions for the NoMachine OpenSSH Win32 Port http://www.nomachine.com/ar/view.php?ar_id=AR01J00621
Step one: get the SSH client building with Kerberos support on all platforms. Initial Kerberos commit to build system done in r26286.
Updated Solaris' sysroot on the build system with kerberos packages in r26287.
r26288: Make sure the OS X sysroot provides krb5 (it already does) r26289: Make sure that cendio-build-krb5 is now a dependency of the client
r26432: Build OpenSSH with kerberos support, and provide a wrapper for loading the GSSAPI libraries dynamically at runtime.
r26442: Give correct paths for header files on Solaris, make sure that SSH builds with kerberos support on Solaris in the absence of expected (Linux only) libraries r26443: In the absence of gssapi_generic on Solaris, make sure the correct functions are defined.
r26445: Use the correct extension when loading Apple's GSSAPI lib (.dylib not .so) r26446: Use the correct type when declaring GSS_C_NT_HOSTBASED_SERVICE on OS X
r26452/26453: Initial commit for kerberos support in client GUI. Still need to handle error conditions and logging etc
We now need to implement some form of error handling. The error handling with regards to kerberos authentication should have 2 main goals: 1) Log with sufficient detail to enable advanced troubleshooting for administrators/support 2) Present simple error messages to the user for common errors/misconfigurations There are two levels of error message in our implementation; GSSAPI/SSPI errors, and authentication mechanism errors (in our case, this means kerberos). The problem is that we are dealing with potentially 4 different kerberos implementations: 1) MIT Kerberos v5 (Linux, OS X < 10.7) 2) Heimdal Kerberos (OS X 10.7+) 3) Solaris' implementation (Solaris) 4) SSPI (Windows) For any given error, some platforms provide an error code at GSSAPI level, some at kerberos level. Moreover, the error code returned may differ across platforms and kerberos implementations. To satisfy goal 1), we should try to log specific error codes whenever possible. GSSAPI error codes are defined in the GSSAPI header files, so we can make use of those. For platform/implementation-specific authentication mechanism error codes, we will need to define the most common ones ourselves. To satisfy goal 2), we should see if it is possible to associate a cross-platform set of error codes with a particular common scenario. For example, a missing credentials cache gives the following error codes on the following platforms: Solaris: GSS_S_NO_CRED Linux/OS X: KRB5_FCC_NOFILE The next step is therefore to define a set of common error scenarios, and determine the error codes which might indicate these across all platforms.
Missing credentials cache ------------------------- Linux: KRB5_FCC_NOFILE OS X 10.4: KRB5_FCC_NOFILE OS X 10.8: KRB5_FCC_NOFILE Solaris: GSS_S_NO_CRED Expired ticket -------------- Linux: KRB5KRB_AP_ERR_TKT_EXPIRED OS X 10.4: KRB5KRB_AP_ERR_TKT_EXPIRED OS X 10.8: GSS_S_CONTEXT_EXPIRED Solaris: KRB5_NO_TKT_IN_RLM KDC Unresolvable ---------------- Linux: KRB5_KDC_UNREACH OS X 10.4: KRB5_TKT_NOT_FORWARDABLE OS X 10.8: KRB5_KDC_UNREACH Solaris: KRB5_TKT_NOT_FORWARDABLE
r26462: Create a function pointer map for assigning GSSAPI function pointers more efficiently r26465: Make sure we pass execution back to OpenSSH on error, to allow clean-up and/or try alternative authentication methods
OpenSSH now compiling for all platforms with kerberos support enabled (although not yet implemented on Windows). TODO: - Implement SSPI wrapper functions on Windows (win32-sspi) - For consistency, include win32-sspi.h from openbsd-compat.h instead of ssh-gss.h - Investigate mktemp symbol conflict warnings on OSX build - Investigate removing sed strings from ThinLinc client Makefile in favour of a more portable solution during the OpenSSH configure stage - Possibly check for win32-sspi before defining GSSAPI during configure on the Windows build - Check that we're not linking against any unnecessary/unsafe libs - See if there are any fixes or enhancements which might be useful upstream
(In reply to comment #16) > - For consistency, include win32-sspi.h from openbsd-compat.h instead of > ssh-gss.h r26637
Patch to get rid of extra libraries in ssh submitted upstream: https://bugzilla.mindrot.org/show_bug.cgi?id=2072
Patch for Solaris support also submitted upstream: https://bugzilla.mindrot.org/show_bug.cgi?id=2073
Two todos: a) The KERBEROS AUTH FAILED message should be removed and a failure should be handled inside LAST AUTHMETHOD (the same way it's done for other authentication methods). b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support GSSAPI.
gss_import name implemented in 26791.
Initial commit of gss_init_sec_context done in r26825. TODO: - Implement expiry timestamp - Sanity check of tokens returned from InitializeSecurityContext - Check flags returned from InitializeSecurityContext - Make sure that OpenSSH is getting everything it needs back from this function call (ret_flags, time_rec etc) - Check if we can handle other return codes from InitializeSecurityContext - See if we can set some kind of sensible minor_code for this function
Initial commit of gss_delete_sec_context done in r26826
gss_release_buffer committed in r26836. gss_get_mic committed in r26838
(In reply to comment #20) > Two todos: > > a) The KERBEROS AUTH FAILED message should be removed and a failure should be > handled inside LAST AUTHMETHOD (the same way it's done for other authentication > methods). > > b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support > GSSAPI. Done in r26880, r26881, r26887, r26888.
gss_release_name committed as r26896 + r26897 gss_release_cred committed as r26898
(In reply to comment #16) > - Check that we're not linking against any unnecessary/unsafe libs Done. libnsl in r26908, r26909 libutil in r26910 libcrypt in r26916
Initial commit of gss_display_status in r27025
(In reply to comment #16) > OpenSSH now compiling for all platforms with kerberos support enabled (although > not yet implemented on Windows). TODO: > > - Implement SSPI wrapper functions on Windows (win32-sspi) Initial versions of all functions required by the SSH client now implemented. > - Investigate mktemp symbol conflict warnings on OSX build These are just warnings, and don't seem to affect things. > - Investigate removing sed strings from ThinLinc client Makefile in favour of a > more portable solution during the OpenSSH configure stage This is part of a larger project, i.e. separating OpenSSH's linking into client/server/tool portions. Not a priority right now. > - Possibly check for win32-sspi before defining GSSAPI during configure on the > Windows build Not necessary if/when we commit upstream. > - See if there are any fixes or enhancements which might be useful upstream This should be done last.
GUI fixed in r27319
Documentation added in r27320
Kerberos authentication should now be working across all platforms. There are potentially a few minor improvements which can be made (some extra debugging messages etc), but I think the base functionality is sufficient enough that this bug can be closed.
The tlclient UI is too small in simple mode. It's going to crop the branding image.
(In reply to comment #34) > The tlclient UI is too small in simple mode. It's going to crop the branding > image. r27343
(In reply to comment #35) > (In reply to comment #34) > > The tlclient UI is too small in simple mode. It's going to crop the branding > > image. > > r27343 Improved in r27353.
The gsswrap modification should be submitted upstream as well.
Started with the worst case, a Windows KDC. 1. Set up a Windows 2012 AD DC 2. Joined a Fedora 19 machine (using realmd) 3. Had to set default realm in /etc/krb5.conf for some reason 4. Installed ThinLinc on said Fedora 19 5. Configured sshd to allow kerberos auth 6. Had to fill in .k5login since sssd was using decorated usernames (LKPG\tluser or tluser@lkpg.cendio.se) 7. Configured agent hostname (or ssh would fail to find the proper realm)[1] Tested with these clients: - Windows 8, joined to the domain: OK - Fedora 18, only fetched a ticket: OK - Fedora 19, fully joined[2][3]: OK - Solaris, only fetched a ticket: OK - OS X 10.4, only fetched a ticket: OK - OS X 10.8, only fetched a ticket: OK Note 1: you can log in as either LKPG\tluser or tluser@lkpg.cendio.se in these cases Note 2: SELinux was on att all times during this [1]: The fact that you have to configure agent_hostname is a bug IMO and we should add a new bugzilla entry for it. [2]: Had to reboot after join to be able to log in though [3]: I got this funky principal which I had to add to .k5login: tluser\@LKPG.CENDIO.SE@LKPG.CENDIO.SE
Tested an expired ticket on Fedora 18. You need -d 5 to see what's happening: 2013-06-05T10:55:17: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic 2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T10:55:17: ssh[E]: Ticket expired 2013-06-05T10:55:17: ssh[E]: 2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T10:55:17: ssh[E]: Ticket expired 2013-06-05T10:55:17: ssh[E]: 2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T10:55:17: ssh[E]: 2013-06-05T10:55:17: Last line was repeated 1 time(s). 2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T10:55:17: ssh[E]: Matching credential not found 2013-06-05T10:55:17: ssh[E]: 2013-06-05T10:55:17: ssh[E]: debug1: No more authentication methods to try. 2013-06-05T10:55:17: ssh[E]: LAST AUTHMETHOD: publickey,gssapi-keyex,gssapi-with-mic,password (there was an expired TGT and an expired session key in the cache) Best we can do for now. OK.
Valid TGT, but unreachable KDC: 2013-06-05T13:23:02: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic 2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE' 2013-06-05T13:23:02: ssh[E]: 2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE' 2013-06-05T13:23:02: ssh[E]: 2013-06-05T13:23:05: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-05T13:23:05: ssh[E]: 2013-06-05T13:23:05: Last line was repeated 1 time(s). 2013-06-05T13:23:05: ssh[E]: AUTH FAILURE Valid TGT and valid session ticket, but unreachable KDC: Works Non-forwardable TGT: Works.
Get a TGT from KDC #1, then switch to KDC #2: 2013-06-07T11:27:03: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic 2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS 2013-06-07T11:27:03: ssh[E]: 2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS 2013-06-07T11:27:03: ssh[E]: 2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure. Minor code may provide more information 2013-06-07T11:27:03: ssh[E]: 2013-06-07T11:27:03: Last line was repeated 1 time(s). 2013-06-07T11:27:03: ssh[E]: AUTH FAILURE Get a TGT from KDC #2, then connect to a server associated with KDC #1: 2013-06-07T11:29:29: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic 2013-06-07T11:29:29: ssh[E]: AUTH FAILURE 2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 2013-06-07T11:29:29: ssh[E]: AUTH FAILURE 2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 2013-06-07T11:29:29: ssh[E]: AUTH FAILURE 2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 2013-06-07T11:29:29: ssh[E]: AUTH FAILURE 2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 2013-06-07T11:29:29: ssh[E]: debug1: No more authentication methods to try. 2013-06-07T11:29:29: ssh[E]: LAST AUTHMETHOD: publickey,gssapi-keyex,gssapi-with-mic,password
Works fine with the principal ☭@LKPG.CENDIO.SE (with a Windows KDC no less). Tested with Fedora 18 and Windows 8.
Fedora 19 server with a RHEL 6 KDC: - Fedora 18: OK - Solaris: OK - OS X 10.4: OK - OS X 10.8: OK
Fedora 18 client against Fedora 19 server without GSSAPI: Correctly tells the user that the server doesn't support Kerberos.
Fedora 18 client, Solaris 10 server, RHEL 6 KDC: Works
(In reply to comment #37) > The gsswrap modification should be submitted upstream as well. https://bugzilla.mindrot.org/show_bug.cgi?id=2121
Everything tested and could not find anything that did not work as expected.
For reference, see also bug #4681.
