Re: openssh + active directory

Well, yes it does work. My point is that the level of integration is arguable, since it does not really assume the users identity in a way that would allow that user to access network resouces, and it still requires the user password or a private/public key pair for pubkey authentication.

When SSH is configured to use GSSAPI (aka kerberos) for authentication, then your ssh users have an identity that active directory will accept for other network based access outside the scope of simple machine access.

Or in other words with kerberos authentication, your ssh users will have a network session, not just a machine session allowing microsft programs to know the user without requiring a password to be entered.

Armand

Armand Welsh
--------------------------
Sent from my BlackBerry Wireless Handheld

----- Original Message -----
From: ssh@erdelynet.com <ssh@erdelynet.com>
To: ssh@erdelynet.com <ssh@erdelynet.com>
Sent: Tue Jun 19 18:18:45 2007
Subject: Re: openssh + active directory

Armand,

I’m not sure what you are referring to by “OpenSSH to run completely integrated with Active Directory” and compiling, but the Windows OpenSSH package http://sshwindows.sourceforge.net/ (may no longer be maintained) does permit Active Directory authentication of connecting users if the SSH daemon is configured to permit such access on a Windows host (mkgroup and mkpasswd used with -d option).

We have been using this package at work and it does work quite well for us. I have not looked at copSSH, but it appears to be more up to date, and I may have a look at it in the next week or so as a replacement.

Cheers,

Frank Pikelner

On 6/19/07 2:13 PM, "Welsh, Armand" <Armand.Welsh@sscims.com> wrote:

Please keep in mind, that if you want OpenSSH to run completely integrated with Active Directory, then you will want to learn how to compile from source, so that you can compile the openSSH source with Kerberos authentication turned on. Once Kerberos is enabled, then you can SSH between windows and unix boxes without supplying a username/password and without using public/private key authentication. The authentication will use your Active Directory Kerberos Ticket for Identity Authentication instead.

I have not been able to get this working 100%, mainly due to the fact that MIT Kerberos for windows doesn't work well with Cygwin packages. And I never had enough free time to figure out exactly what patches needed to be made to the source to get it all to work.

Armand

  _____

From: ssh@erdelynet.com [mailto:ssh@erdelynet.com] On Behalf Of Frank Pikelner
Sent: Monday, June 18, 2007 7:18 PM
To: ssh@erdelynet.com
Subject: Re: openssh + active directory

Alan,

Yes, OpenSSH does work with AD. You need to configure OpenSSH config files. Send me an email at frank.pikelner@blue-dot.ca and I can provide instructions.

Frank

On 6/18/07 9:52 AM, "Alan Neville" <alan@barlan.ie> wrote:

Hello,

I have just installed OpenSSH on a windows 2k3 server and I'm looking for a way to integrate it with Active Directory. Is this possible?

Many Thanks,

--
Alan  Neville
Technical Support and Helpdesk,
Barlan Technologies,
Unit  a, Broomfield Business Pk, Malahide, Dublin
[e] alan dot neville at  barlan dot ie
[p] +353 1 866 6111
[f] +353 1 633  5612
--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com