0

Feels like I'm missing something fundamental here...

Have a non-domain machine (personal machine off site) from which I VPN into our work network. Once connected, from 'klist', it appears my VPN client (Juniper) has negotiated a Kerberos ticket (krbtgt/ @ ). Note also that the local login username for this machine is different than my Active Directory username.

I'd then like to use GSSAPI/Kerberos enabled PuTTY to SSH to a Linux host (Linux host is set up properly w/ SSSD and accepts GSSAPI logins from a similarly configured PuTTY instance which is a member of the work domain). However, I get prompted for a password on login rather than simply getting passed through.

Is there a way I can point PuTTY explicitly at the ticket I see in klist? Do I need to try to attempt to obtain a new ticket? If so, how? Do I need a different type of ticket (host vs. krbtgt)? I did experiment with ksetup /MapUser to try and map my local user account to the ticket I see in klist, but I get a failure with my syntax and am not sure if that's the right tree to be barking up, anyway.

Obviously I have other login alternatives here, but would like to understand what's going on.

Thanks in advance!

rayvd
  • 3
  • 3

2 Answers2

1

The Kerberos client built-into Windows is capable of handing this on its own. You just need to give it a little guidance on how to find the KDCs for the given realm first. It's sort of like the Windows equivalent of a krb5.conf file.

From an elevated cmd prompt, run this for each KDC you want to utilize:

ksetup /addkdc REALM.EXAMPLE.COM mykdc.realm.example.com

Now, even if your VPN client didn't already get a TGT for you. You could do the following to open a cmd prompt in the context of your Kerb principal.

runas /netonly /user:myuser@REALM.EXAMPLE.COM cmd

Then from that prompt:

putty -ssh myuser@myserver.realm.example.com

Assuming your default PuTTY settings have GSSAPI turned on, this should log you straight into the host and Windows will have pulled your TGT in the process. Technically, you could just substitute the putty command in place of cmd for the runas command. But I prefer to keep an generic cmd prompt open that I can use for other connections or apps as well.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
0

So, the answer here is to use a package like MIT's Kerberos for Windows (if on a Windows box) to obtain a ticket. PuTTY will then attempt to use this key -- and you can explicitly ensure that the MIT stack is confirmed via the GSSAPI auth options in PuTTY's config.

On Unix, you can use the regular kinit tools from the CLI to obtain a ticket.

rayvd
  • 3
  • 3