Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 12-15-2015, 02:23 PM
Gael Gael is offline
Registered User
 
Join Date: Nov 2006
Posts: 4
GSSAPI - Credentials delegation not happening even in Full mode.

Hello

I have been trying to get GSSAPI credentials delegation via SecureCRT without success.. The server is running Openssh 6.0, I'm using 7.3.5.

When trying to connect to the same server using openssh in command line from an UNIX server, the delegation occurs just fine...

Where should I investigate ? The Kerberos/Active Directory server is running Windows 2013R2.. The connection via GSSAPI works just fine, I can get in, but not the ticket.
The trace shows the following message

[LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [1696 bytes]
[LOCAL] : GSS : The delegation request failed, credentials will not be forwardable.
[LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC
[LOCAL] : RECV : AUTH_SUCCESS

The full trace below:

[LOCAL] : SSH2Core version 7.3.0.903
[LOCAL] : Connecting to apspxd0098.adminmfapoc.local:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_6.0'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@apspxd0098.adminmfapoc.local
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@apspxd0098.adminmfapoc.local
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = ecdh-sha2-nistp521
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha2-512
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : SSH_MSG_KEX_ECDH_INIT
[LOCAL] : RECV : SSH_MSG_KEX_ECDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): 86:38:35:85:ef:e1:74:f2:e5:5a:3b:01:62:24:74:2b:cd:e4:a3:39
[LOCAL] : RECV: Remote Hostkey (MD5 hash): 37:ec:84:f4:5b:ae:65:73:ed:0a:90:e7:b4:55:20:b9
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]
[LOCAL] : GSS SPN : host@apspxd0098.adminmfapoc.local
[LOCAL] : [SSPI/1.2.840.113554.1.2.2] : This mechanism might work.
[LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic]
SecureCRT - Version 7.3.5 (x64 build 903)
*******************************************************************************

*******************************************************************************

[LOCAL] : [SSPI/1.2.840.113554.1.2.2] : Using this mechanism.
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [1696 bytes]
[LOCAL] : GSS : The delegation request failed, credentials will not be forwardable.
[LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC
[LOCAL] : RECV : AUTH_SUCCESS
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 45, cols: 104)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded
Last unsuccessful login: Tue Dec 15 14:40:40 CST 2015 on ssh from apspx0140.adminmfapoc.local
Last login: Tue Dec 15 14:43:46 CST 2015 on /dev/pts/1 from labe198190.adminmfapoc.local
Reply With Quote
  #2  
Old 12-15-2015, 03:04 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi Gael,

You will need to investigate the Kerberos Realm. SecureCRT can only request delegation, it can't force it to happen.

In this case, the Kerberos Realm is rejecting the request.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #3  
Old 12-15-2015, 05:14 PM
Gael Gael is offline
Registered User
 
Join Date: Nov 2006
Posts: 4
Todd,

As I have no issue using multiple clients unix based connecting to the same ssh server, I assumed it was client side based on the windows machine running SecureCRT, that AD was behaving correctly in general... Is that a well known parameter in Active Directory or some policy ? This is the first time trying that, so I'm in unfamiliar waters here...
Reply With Quote
  #4  
Old 12-16-2015, 08:46 AM
Gael Gael is offline
Registered User
 
Join Date: Nov 2006
Posts: 4
Issue solved... you need to go in active directory, select the target computer object, go in the Delegation tab and select the Trust function which is disabled by default. Lesson learned.

Happy holidays to you all!
Reply With Quote
  #5  
Old 12-16-2015, 11:00 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi Gael,

I didn't have any suggestions for you since I am not a Domain/AD administrator. I am glad to hear that you found the solution.

Thanks for posting this information for others to use in the future.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
Reply

Tags
credentials , delegation , gssapi


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 09:00 PM.