1) What Rhys said about using gssclient/server test to start :-)
2) If you are not a domain machine, you'll need to use msetupgui to add
a user mapping to a local account; you can specify * for nai to map
everything to the same account.
3) From the logs you posted, I can tell that no call was ever made to
GsspInitSecContext(), so no attempt was made to establish a security
context through the SSP.
Kevin Wasserman
Painless Security
On 7/25/2014 12:00 PM, Rhys Smith wrote:
> Suggest you use gss-client and gas-server to test what’s going on. Run gas-server on the machine running SSH, and gss-client on the windows box, and make sure that it’s able to authenticate and get a message sent from one to the other - and you can see what radius attributes are present.
>
> Which reminds me that I haven’t written the wiki page on how to test using gss-client/server yet.
>
> On server, run /opt/moonshot/sbin/gss-server -verbose gss@SERVER-FQDN (or wherever the binary lives)
>
> On client, run .\gssclient.exe -user user@realm -pass XXX SERVER-FQDN gss/SERVER-FQDN “hello?"
>
> That should throw up the prompt for creds, and get the ball rolling...
>
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: [log in to unmask] / [log in to unmask]
> GPG: 0x4638C985
>
> On 25 Jul 2014, at 11:56, Rhys Smith <[log in to unmask]> wrote:
>
>> Bugger, sorry, I was thinking about things on the server end not the client end sorry. Ignore what I said.
>>
>> So remember that on the client end the SSP is not configured to talk to a RADIUS server, that’s only on the server end.
>>
>> On the client end, there should be no configuration necessary and you should not expect to see any RADIUS traffic. The connection to RadSec is at the SSH server end of things. All the SSP client does is get credentials from its credential store (i.e. windows credman).
>>
>> Rhys.
>> --
>> Dr Rhys Smith
>> Identity, Access, and Middleware Specialist
>> Cardiff University & Janet, the UK's research and education network
>>
>> email: [log in to unmask] / [log in to unmask]
>> GPG: 0x4638C985
>>
>> On 25 Jul 2014, at 11:41, Stefan Paetow <[log in to unmask]> wrote:
>>
>>> I'm working on putty. I've tried an authentication (AcquireCredentialsHandle is being called and I get a prompt from the credential manager to enter a password for my principal), but the SSH server says
>>>
>>> debug1: No credentials were supplied, or the credentials were unavailable or inaccessible.
>>> Unknown error
>>> debug1: Got no client credentials
>>>
>>> The files capture that specific run (after a reboot). I am pointing at the correct RADIUS server (and I know I am because when I telnet to port 2083 on the machine in question, I get a connection ok). I don't however see any connections to the RADIUS server at all, so I'd like to know how I can know whether AcquireCredentialsHandle has in fact received credentials on the client end at all?
>>>
>>> It'll help me narrow down whether it is the putty part *after* the credential acquisition that is borked or whether it how the credential's been put into the credentials manager.
>>>
>>> The Windows machine is a *workgroup* machine (i.e. *not* with a domain).
>>>
>>> Stefan
>>>
>>> -----Original Message-----
>>> From: Kevin Wasserman [mailto:[log in to unmask]]
>>> Sent: 25 July 2014 16:30
>>> To: Stefan Paetow; [log in to unmask]
>>> Subject: Re: Problems with the Windows SSP, or not?
>>>
>>> I'm sorry; I don't understand the question. Can you tell me what you were doing (precisely what apps you were running on what machines), what results you got, and what you expected?
>>>
>>> Kevin Wasserman
>>> Painless Security, LLC
>>>
>>> On 7/25/2014 11:21 AM, Stefan Paetow wrote:
>>>> Hi,
>>>> From the attached logs I'm not sure whether the SSPI actually
>>>> releases an identity or not... Can someone who knows the SSP tell me if
>>>> it actually does? From what I see in the logs it doesn't seem to release a principal?
>>>> Stefan Paetow
>>>> Moonshot Industry & Research Liaison Coordinator
>>>> t: +44 (0)1235 822 125
>>>> Janet, the UK's research and education network.
>>>>
>>>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>>>> not-for-profit company which is registered in England under No.
>>>> 2881024 and whose Registered Office is at Lumen House, Library Avenue,
>>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>>>
>>>
>>> ---
>>> This email is free from viruses and malware because avast! Antivirus protection is active.
>>> http://www.avast.com
>>>
>>>
>>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>>> not-for-profit company which is registered in England under No. 2881024
>>> and whose Registered Office is at Lumen House, Library Avenue,
>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
|