Re: openssh + active directory

On 6/19/07 11:08 PM, "Welsh, Armand" <Armand.Welsh@sscims.com> wrote:

> Well, yes it does work. My point is that the level of integration is
> arguable, since it does not really assume the users identity in a way that
> would allow that user to access network resouces, and it still requires the
> user password or a private/public key pair for pubkey authentication.
>
> When SSH is configured to use GSSAPI (aka kerberos) for authentication, then
> your ssh users have an identity that active directory will accept for other
> network based access outside the scope of simple machine access.
>
> Or in other words with kerberos authentication, your ssh users will have a
> network session, not just a machine session allowing microsft programs to know
> the user without requiring a password to be entered.
>
> Armand
>
> Armand Welsh
> --------------------------
> Sent from my BlackBerry Wireless Handheld

Thanks for the explanation, I see what you're saying. For our needs of
remote system access, file copying, the AD authentication is sufficient as
implemented. It may be true that others require additional AD functionality.

Best regards,

Frank
>
>
> ----- Original Message -----
> From: ssh@erdelynet.com <ssh@erdelynet.com>
> To: ssh@erdelynet.com <ssh@erdelynet.com>
> Sent: Tue Jun 19 18:18:45 2007
> Subject: Re: openssh + active directory
>
> Armand,
>
> I¹m not sure what you are referring to by ³OpenSSH to run completely
> integrated with Active Directory² and compiling, but the Windows OpenSSH
> package http://sshwindows.sourceforge.net/ (may no longer be maintained) does
> permit Active Directory authentication of connecting users if the SSH daemon
> is configured to permit such access on a Windows host (mkgroup and mkpasswd
> used with -d option).
>
> We have been using this package at work and it does work quite well for us. I
> have not looked at copSSH, but it appears to be more up to date, and I may
> have a look at it in the next week or so as a replacement.
>
> Cheers,
>
> Frank Pikelner
>
>
>
> On 6/19/07 2:13 PM, "Welsh, Armand" <Armand.Welsh@sscims.com> wrote:
>
>
>
> Please keep in mind, that if you want OpenSSH to run completely integrated
> with Active Directory, then you will want to learn how to compile from source,
> so that you can compile the openSSH source with Kerberos authentication turned
> on. Once Kerberos is enabled, then you can SSH between windows and unix boxes
> without supplying a username/password and without using public/private key
> authentication. The authentication will use your Active Directory Kerberos
> Ticket for Identity Authentication instead.
>
> I have not been able to get this working 100%, mainly due to the fact that MIT
> Kerberos for windows doesn't work well with Cygwin packages. And I never had
> enough free time to figure out exactly what patches needed to be made to the
> source to get it all to work.
>
> Armand
>
>
> _____
>
> From: ssh@erdelynet.com [mailto:ssh@erdelynet.com] On Behalf Of Frank Pikelner
> Sent: Monday, June 18, 2007 7:18 PM
> To: ssh@erdelynet.com
> Subject: Re: openssh + active directory
>
> Alan,
>
> Yes, OpenSSH does work with AD. You need to configure OpenSSH config files.
> Send me an email at frank.pikelner@blue-dot.ca and I can provide instructions.
>
> Frank
>
>
> On 6/18/07 9:52 AM, "Alan Neville" <alan@barlan.ie> wrote:
>
>
>
> Hello,
>
> I have just installed OpenSSH on a windows 2k3 server and I'm looking for a
> way to integrate it with Active Directory. Is this possible?
>
> Many Thanks,
>
> --
> Alan Neville
>
> Technical Support and Helpdesk,
> Barlan Technologies,
> Unit a, Broomfield Business Pk, Malahide, Dublin
>
> [e] alan dot neville at barlan dot ie
> [p] +353 1 866 6111
> [f] +353 1 633 5612
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> List Info: http://erdelynet.com/ssh-l/
> List Archives: http://erdelynet.com/archive/ssh-l/
> To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com
>
>

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com