Xshell Forum

support gssapi?

Last post: Friday, May 20, 2016 7:09 AM by Sebastian Schenzel, 17 reply

 
Friday, March 13, 2015 2:31 AM - Michelle

support gssapi?

 
Hello,
Does XShell support Kerberos/GSSAPI authentication now? I used Xshell4 or Xshell 5.

Sincerely,
Michelle

Program Ver. : Xshell 4
Sunday, March 15, 2015 6:32 PM - Support

Re: support gssapi?

 
Currently Xshell supports MIT Kerberos. Right now, we are working on Microsoft Kerberos. GSSAPI support has been requested and we will review it once we finish working on MS Kerberos.

Case # for this is 3041.

---
Technical Support
Wednesday, March 18, 2015 1:17 AM - Michelle

Re: support gssapi?

 
Recently I have downloaded XShell 5.before using it, I have got ticket using kerberos and can login Server with SecureCRT. my steps are:
1、Kerberos authorization。
2、Using Xshell5, it prompt Kerberos authorization dialog.
I followed the notice and input my username & password again.
3、It prompt a dialog to input public key and password(attachment: problem.png ).
I don't know to to deal.Can you help me?

The following attachments are configurations and the problem in Xshell.
====Version Info======
MIT Kerberos Version: 4.0.1
(ReleasePage:http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html)
Xshell Version:5.0 Build0537
Wednesday, March 18, 2015 2:57 AM - Support

Re: support gssapi?

 
Please try following the steps in the attached pdf file.

---
Technical support
Thursday, March 19, 2015 10:28 PM - Michelle

Re: support gssapi?

 
ok, thanks . i will try it.
Thursday, March 19, 2015 10:46 PM - Michelle

Re: support gssapi?

 
it can not work successfully when i follow your pdf file. Nothing changed .
Friday, March 20, 2015 12:07 AM - Support

Re: support gssapi?

 
Please attach the Xshell trace log and also SSH server log from the remote server.

Which Kerberos server are you using?


---
Technical Support
Thursday, January 7, 2016 8:58 AM - Sebastian Schenzel

Re: support gssapi?

 
Hello,

I have also a problem with the gssapi. I just installed the evaluation copy of the XManager Enterprise suite and tried to connect to a Debian 8 server. When I use Putty the gssapi authentication works like charm, no password is needed. So the configuration of the Linux box should be correct. But XShell tells me:

[09:22:06] Hostkey fingerprint:
[09:22:06] ssh-rsa 2048 d9:0f:1e:74:20:f7:43:9e:c8:67:a1:ca:e6:a6:f9:18
[09:22:06] Accepted. Verifying host key...
[09:22:06] Verified.
[09:22:06] User authentication initiated...
[09:22:06] Sent user name 'username'.
[09:22:06] trying GSSAPI authentication
[09:22:06] GSSAPI authentication request refused

I tried several formats for the username: username, domain\username, username@domain. The result is the same everytime. I appended a file containing the regarding log entries of the sshd and the part of the sshd_config with the Kerberos and GSSAPI parameters.
Wednesday, January 13, 2016 1:23 AM - Support

Re: support gssapi?

 
Are there any differences between the ticket names, setting, etc. that you are using for Putty and Xshell?

Currently Xshell supports MIT and MS kerberos. Which ticket management program are you using?

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Tuesday, January 19, 2016 8:59 AM - Sebastian Schenzel

Re: support gssapi?

 
Sorry for the deIayed answert, I was on a training last week.

I tried to use the same settings in XShell as in Putty. I'll attach screenshots of my XShell and Putty session settings.

Regarding the XShell session authentication settings, I tried every combination of settings, with credential delegation and without and MIT Kerberos, MS Kerbos and auto select.

I didn't use any ticket management tool. As I understood it, my Windows Laptop recieves a Kerberos ticket from the Active Directory Server and this is used for authentication by Putty. Am I wrong? I'm pretty new to this.
Thursday, January 21, 2016 8:30 PM - Support

Re: support gssapi?

 
Thanks for the response.

We're further looking into the issue and once we find the root of the problem, we'll get back to you asap.

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Thursday, February 4, 2016 10:10 AM - Sebastian Schenzel

Re: support gssapi?

 
Are there any news on this topic?
Wednesday, February 17, 2016 3:15 AM - Support

Re: support gssapi?

 
We've tested using PBIS(PowerBroker Identity Services) and successfully logged into a Linux box using Windows 2012 credentials.

http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

However, login with putty failed. We believe success or failure depends on the Kerberos identity service of Linux. Do you know which Kerberos identity service your Linux is utilizing so we can investigate further?

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Attachment image.png (150.5 KB)  
Tuesday, February 23, 2016 9:30 AM - Sebastian Schenzel

Re: support gssapi?

 
I'm using a Debian 8 box with Kerberos 5 and Winbind from the official distribution repos.

I've attached a file with the installed packages, including their version and my configuration files. Hope it helps!
Thursday, February 25, 2016 8:37 PM - Support

Re: support gssapi?

 
Thanks for the information. We'll further investigate the issue and get back to you as soon as we have something.

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Monday, April 11, 2016 7:12 AM - Sebastian Schenzel

Re: support gssapi?

 
Hey,

are there any news on this topic?

Regards,

Sebastian
Thursday, April 14, 2016 6:40 AM - Support]

Re: support gssapi?

 
I apologize for the delay.

We have extensively tested this according to your configuration of Debian and Winbind, but were unsuccessful in our attempts in setting up a Kerberos environment.

We, however, did had success when using something similar to your configurations. We appreciate your patience while we further test and attempt to set up a Kerberos environment with your exact specifications. Some more time is required for us to identify the issue.

Technical Support

Like us on Facebook
Follow us on Twitter
Visit our blog Blog
Friday, May 20, 2016 7:09 AM - Sebastian Schenzel

Re: support gssapi?

 
Thank you for your afford!

If you give me your configuration, which worked, I can try to use it in my testing environment and see if it works. If yes, I can maybe find the parameters making the differents.