Kerberos authentication not working with 4.1.0

Advertisement

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Kerberos authentication not working with 4.1.0

I have one server that I have been connecting to successfully with Kerberos 5 authentication using WinSCP 4.0.7.

After installing 4.1.0 (build 375) I am now being asked for a password every time I connect, despite having a valid ticket in the Network Identity Manager. I have checked that the "Attempt GSSAPI/SSPI" option has been checked for this stored session and that the correct "Service principal name" has been entered. Is there any other setting that needs to be altered in order to use Kerberos 5 authentication in 4.1.0?

OS: WinXP SP2
Interface: Explorer

Alf.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,392
Location:
Prague, Czechia

Re: Kerberos authentication not working with 4.1.0

What if you enter nothing into the password prompt?
Can you also post a log file?

Reply with quote

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

Entering an empty password fails. Connection is only completed after entering the password. The log file follows below. Note, that current credentials for alfp@unimelb.edu.au and alfp@athena.unimelb.edu.au were available in my Network Identity Manager, but it is the latter one that is required for the connection being attempted. Log output:
. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.093 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 16:30:43.093 Login time: Wednesday, 23 April 2008 4:30:43 PM
. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.093 Session name: avon1
. 2008-04-23 16:30:43.093 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 16:30:43.093 User name: alfp (Password: No, Key file: No)
. 2008-04-23 16:30:43.093 Tunnel: No
. 2008-04-23 16:30:43.093 Transfer Protocol: SFTP
. 2008-04-23 16:30:43.093 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 16:30:43.093 Proxy: none
. 2008-04-23 16:30:43.093 SSH protocol version: 2; Compression: No
. 2008-04-23 16:30:43.093 Bypass authentication: No
. 2008-04-23 16:30:43.093 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 16:30:43.093 GSSAPI: Forwarding: Yes; Server realm: athena.unimelb.edu.au
. 2008-04-23 16:30:43.093 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 16:30:43.093 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 16:30:43.093 SFTP Bugs: -,-
. 2008-04-23 16:30:43.093 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 16:30:43.093 Shell: default, EOL: 0
. 2008-04-23 16:30:43.093 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 16:30:43.093 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 16:30:43.093 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 16:30:43.093 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 16:30:43.093 DST mode: 1
. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.171 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 16:30:43.171 Connecting to 172.22.27.82 port 22
. 2008-04-23 16:30:43.187 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 16:30:43.187 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 16:30:43.203 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 16:30:43.203 Warning: no '/' found in SPN athena.unimelb.edu.au
. 2008-04-23 16:30:43.203 Constructed service principal name 'athena.unimelb.edu.au'
. 2008-04-23 16:30:43.203 GSSKEX disabled: The specified target is unknown or unreachable
 
. 2008-04-23 16:30:43.203 Using SSH protocol version 2
. 2008-04-23 16:30:43.203 Doing Diffie-Hellman group exchange
. 2008-04-23 16:30:43.250 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 16:30:43.437 Host key fingerprint is:
. 2008-04-23 16:30:43.437 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 16:30:43.437 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 16:30:43.437 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 16:30:43.437 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 16:30:43.437 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 16:30:43.484 Using username "alfp".
. 2008-04-23 16:30:43.546 SSPI: trying user_name='alfp' service=''
. 2008-04-23 16:30:43.546 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 16:30:43.546 Warning: no '/' found in SPN athena.unimelb.edu.au
. 2008-04-23 16:30:43.546 Constructed service principal name 'athena.unimelb.edu.au'
! 2008-04-23 16:30:43.546 Using GSSAPI service principal name "athena.unimelb.edu.au".
. 2008-04-23 16:30:43.593 InitializeSecurityContext: The specified target is unknown or unreachable
 
. 2008-04-23 16:30:43.593 GSSAPI authentication aborted
. 2008-04-23 16:30:43.593 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:30:47.484 Sent password
! 2008-04-23 16:30:47.484 Access denied
. 2008-04-23 16:30:47.484 Access denied
. 2008-04-23 16:30:47.484 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:15.218 Sent password
! 2008-04-23 16:31:15.218 Access denied
. 2008-04-23 16:31:15.218 Access denied
. 2008-04-23 16:31:15.218 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:25.437 Sent password
! 2008-04-23 16:31:27.984 Access denied
. 2008-04-23 16:31:27.984 Access denied
. 2008-04-23 16:31:27.984 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:45.843 Sent password
. 2008-04-23 16:31:46.078 Access granted
. 2008-04-23 16:31:47.015 Opened channel for session
. 2008-04-23 16:31:47.015 Started a shell/command
. 2008-04-23 16:31:47.015 --------------------------------------------------------------------------
. 2008-04-23 16:31:47.015 Using SFTP protocol.
. 2008-04-23 16:31:47.015 Doing startup conversation with host.
> 2008-04-23 16:31:47.015 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2008-04-23 16:31:47.765 Type: SSH_FXP_VERSION, Size: 5, Number: -1
. 2008-04-23 16:31:47.765 SFTP version 3 negotiated.
. 2008-04-23 16:31:47.765 We believe the server has signed timestamps bug
. 2008-04-23 16:31:47.765 We will use UTF-8 strings for status messages only
. 2008-04-23 16:31:47.765 Limiting packet size to OpenSSH sftp-server limit of 262148 bytes
. 2008-04-23 16:31:47.765 Getting current directory name.
. 2008-04-23 16:31:47.765 Getting real path for '.'
> 2008-04-23 16:31:47.765 Type: SSH_FXP_REALPATH, Size: 10, Number: 16
< 2008-04-23 16:31:47.765 Type: SSH_FXP_NAME, Size: 97, Number: 16
. 2008-04-23 16:31:47.765 Real path is '/afs/athena.unimelb.edu.au/user/a/alfp'
. 2008-04-23 16:31:47.765 Listing directory "/afs/athena.unimelb.edu.au/user/a/alfp".
> 2008-04-23 16:31:47.765 Type: SSH_FXP_OPENDIR, Size: 47, Number: 267
< 2008-04-23 16:31:47.765 Type: SSH_FXP_HANDLE, Size: 13, Number: 267
> 2008-04-23 16:31:47.765 Type: SSH_FXP_READDIR, Size: 13, Number: 524
< 2008-04-23 16:31:49.703 Type: SSH_FXP_NAME, Size: 6797, Number: 524
> 2008-04-23 16:31:49.703 Type: SSH_FXP_READDIR, Size: 13, Number: 780
. 2008-04-23 16:31:49.703 Reading symlink ".profile".
> 2008-04-23 16:31:49.703 Type: SSH_FXP_READLINK, Size: 56, Number: 1043
> 2008-04-23 16:31:49.703 Type: SSH_FXP_STAT, Size: 56, Number: 1297
< 2008-04-23 16:31:49.703 Type: SSH_FXP_STATUS, Size: 28, Number: 780
. 2008-04-23 16:31:49.703 Storing reserved response
< 2008-04-23 16:31:49.703 Type: SSH_FXP_NAME, Size: 57, Number: 1043
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 1297
. 2008-04-23 16:31:49.890 Reading symlink ".cvs_editor".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 59, Number: 1555
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 59, Number: 1809
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 63, Number: 1555
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 1809
. 2008-04-23 16:31:49.890 Reading symlink ".oracle_editor".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 62, Number: 2067
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 62, Number: 2321
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 69, Number: 2067
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 2321
. 2008-04-23 16:31:49.890 Reading symlink ".Xdefaults".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 58, Number: 2579
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 58, Number: 2833
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 61, Number: 2579
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 2833
. 2008-04-23 16:31:49.890 Reading symlink ".setup".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 54, Number: 3091
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 54, Number: 3345
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 53, Number: 3091
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 3345
. 2008-04-23 16:31:49.890 Reading symlink ".tcsh-bindings".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 62, Number: 3603
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 62, Number: 3857
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 69, Number: 3603
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 3857
. 2008-04-23 16:31:49.890 Reading symlink ".vilemenu".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 57, Number: 4115
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 57, Number: 4369
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 59, Number: 4115
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 4369
. 2008-04-23 16:31:49.906 Reading symlink ".vilerc".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 55, Number: 4627
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 55, Number: 4881
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 55, Number: 4627
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 4881
. 2008-04-23 16:31:49.906 Reading symlink ".xmenu.dat".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 58, Number: 5139
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 58, Number: 5393
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 61, Number: 5139
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 5393
. 2008-04-23 16:31:49.906 Reading symlink "manlist.sh".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 58, Number: 5651
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 58, Number: 5905
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 61, Number: 5651
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 5905
. 2008-04-23 16:31:49.906 Reading symlink "oracle".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 54, Number: 6163
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 54, Number: 6417
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 53, Number: 6163
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 6417
. 2008-04-23 16:31:49.906 Reading symlink "perl_scripts".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 60, Number: 6675
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 60, Number: 6929
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 65, Number: 6675
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 6929
. 2008-04-23 16:31:49.921 Reading symlink "sqlplus_setup_X".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 63, Number: 7187
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 63, Number: 7441
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 71, Number: 7187
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 7441
. 2008-04-23 16:31:49.921 Reading symlink "sqlplus_setup_non_X".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 67, Number: 7699
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 67, Number: 7953
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 79, Number: 7699
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 7953
. 2008-04-23 16:31:49.921 Reading symlink ".tcshrc".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 55, Number: 8211
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 55, Number: 8465
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 55, Number: 8211
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 8465
. 2008-04-23 16:31:49.921 Reading symlink ".login".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 54, Number: 8723
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 54, Number: 8977
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 53, Number: 8723
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 8977
. 2008-04-23 16:31:49.921 Reading symlink ".a2ps".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 53, Number: 9235
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 53, Number: 9489
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 51, Number: 9235
< 2008-04-23 16:31:49.937 Type: SSH_FXP_ATTRS, Size: 37, Number: 9489
< 2008-04-23 16:31:49.937 Status/error code: 1
> 2008-04-23 16:31:49.937 Type: SSH_FXP_CLOSE, Size: 13, Number: 9732
. 2008-04-23 16:31:49.937 Startup conversation with host finished.
. 2008-04-23 16:32:13.468 Closing connection.
Alf.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,392
Location:
Prague, Czechia

Re: Kerberos authentication not working with 4.1.0

First, I know very little about Kerberos :-)
In 4.1 implementation of Kerberos has changed because existing implementation does not exist for PuTTY 0.60.
Now WinSCP uses Kerberos implementation from Quest PuTTY. According to their documentation the Service Principal Name should be in format: ftp/server.example.com@EXAMPLE.COM
Also see related entry in log file:
Warning: no '/' found in SPN athena.unimelb.edu.au
Maybe this gives you some hint?

Reply with quote

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

Yes, I also noticed that in the log that I posted. After talking to one of our systems programmers, I have also tried setting the service principal name to host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU with essentially the same result. Leading part of log from this attempt is:
. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.546 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 17:11:18.546 Login time: Wednesday, 23 April 2008 5:11:18 PM
. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.546 Session name: avon1
. 2008-04-23 17:11:18.546 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 17:11:18.546 User name: alfp (Password: No, Key file: No)
. 2008-04-23 17:11:18.546 Tunnel: No
. 2008-04-23 17:11:18.546 Transfer Protocol: SFTP
. 2008-04-23 17:11:18.546 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 17:11:18.546 Proxy: none
. 2008-04-23 17:11:18.546 SSH protocol version: 2; Compression: No
. 2008-04-23 17:11:18.546 Bypass authentication: No
. 2008-04-23 17:11:18.546 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 17:11:18.546 GSSAPI: Forwarding: Yes; Server realm: host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU
. 2008-04-23 17:11:18.546 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 17:11:18.546 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 17:11:18.546 SFTP Bugs: -,-
. 2008-04-23 17:11:18.546 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 17:11:18.546 Shell: default, EOL: 0
. 2008-04-23 17:11:18.546 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 17:11:18.546 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 17:11:18.546 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 17:11:18.546 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 17:11:18.546 DST mode: 1
. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.625 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 17:11:18.640 Connecting to 172.22.27.82 port 22
. 2008-04-23 17:11:18.640 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 17:11:18.640 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 17:11:18.656 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:11:18.656 Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
. 2008-04-23 17:11:18.656 GSSKEX disabled: The specified target is unknown or unreachable
 
. 2008-04-23 17:11:18.656 Using SSH protocol version 2
. 2008-04-23 17:11:18.656 Doing Diffie-Hellman group exchange
. 2008-04-23 17:11:18.703 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 17:11:18.890 Host key fingerprint is:
. 2008-04-23 17:11:18.890 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 17:11:18.890 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 17:11:18.890 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 17:11:18.890 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 17:11:18.890 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 17:11:18.921 Using username "alfp".
. 2008-04-23 17:11:19.000 SSPI: trying user_name='alfp' service=''
. 2008-04-23 17:11:19.000 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:11:19.000 Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
! 2008-04-23 17:11:19.000 Using GSSAPI service principal name "host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU".
. 2008-04-23 17:11:19.031 InitializeSecurityContext: The specified target is unknown or unreachable
 
. 2008-04-23 17:11:19.031 GSSAPI authentication aborted
. 2008-04-23 17:11:19.031 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:11:27.906 Sent password
! 2008-04-23 17:11:27.906 Access denied
. 2008-04-23 17:11:27.906 Access denied
. 2008-04-23 17:11:27.906 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:11:46.140 Sent password
. 2008-04-23 17:11:46.484 Access granted
. 2008-04-23 17:11:47.093 Opened channel for session
. 2008-04-23 17:11:47.093 Started a shell/command
. 2008-04-23 17:11:47.093 --------------------------------------------------------------------------
. 2008-04-23 17:11:47.093 Using SFTP protocol.
I also tried with the service principal name left blank. The leading part of the log from this attempt is:
. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.515 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 17:24:01.515 Login time: Wednesday, 23 April 2008 5:24:01 PM
. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.515 Session name: avon1
. 2008-04-23 17:24:01.515 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 17:24:01.515 User name: alfp (Password: No, Key file: No)
. 2008-04-23 17:24:01.515 Tunnel: No
. 2008-04-23 17:24:01.515 Transfer Protocol: SFTP
. 2008-04-23 17:24:01.515 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 17:24:01.515 Proxy: none
. 2008-04-23 17:24:01.515 SSH protocol version: 2; Compression: No
. 2008-04-23 17:24:01.515 Bypass authentication: No
. 2008-04-23 17:24:01.515 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 17:24:01.515 GSSAPI: Forwarding: Yes; Server realm: 
. 2008-04-23 17:24:01.515 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 17:24:01.515 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 17:24:01.515 SFTP Bugs: -,-
. 2008-04-23 17:24:01.515 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 17:24:01.515 Shell: default, EOL: 0
. 2008-04-23 17:24:01.515 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 17:24:01.515 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 17:24:01.515 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 17:24:01.515 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 17:24:01.515 DST mode: 1
. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.609 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 17:24:01.609 Connecting to 172.22.27.82 port 22
. 2008-04-23 17:24:01.671 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 17:24:01.671 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 17:24:01.687 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:24:01.687 Constructed service principal name 'host/avon1.its.unimelb.edu.au'
. 2008-04-23 17:24:01.687 GSSKEX disabled: The specified target is unknown or unreachable
 
. 2008-04-23 17:24:01.687 Using SSH protocol version 2
. 2008-04-23 17:24:01.687 Doing Diffie-Hellman group exchange
. 2008-04-23 17:24:01.734 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 17:24:01.921 Host key fingerprint is:
. 2008-04-23 17:24:01.921 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 17:24:01.921 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 17:24:01.921 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 17:24:01.921 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 17:24:01.921 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 17:24:01.968 Using username "alfp".
. 2008-04-23 17:24:02.046 SSPI: trying user_name='alfp' service=''
. 2008-04-23 17:24:02.046 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:24:02.046 Constructed service principal name 'host/avon1.its.unimelb.edu.au'
! 2008-04-23 17:24:02.046 Using GSSAPI service principal name "host/avon1.its.unimelb.edu.au".
. 2008-04-23 17:24:02.093 InitializeSecurityContext: The specified target is unknown or unreachable
 
. 2008-04-23 17:24:02.093 GSSAPI authentication aborted
. 2008-04-23 17:24:02.093 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:24:04.203 Sent password
! 2008-04-23 17:24:04.203 Access denied
. 2008-04-23 17:24:04.203 Access denied
. 2008-04-23 17:24:04.203 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:24:11.109 Sent password
. 2008-04-23 17:24:11.406 Access granted
. 2008-04-23 17:24:12.187 Opened channel for session
. 2008-04-23 17:24:12.187 Started a shell/command
. 2008-04-23 17:24:12.203 --------------------------------------------------------------------------
. 2008-04-23 17:24:12.203 Using SFTP protocol.
Let me know if there is anything else you would like me to try.

Alf.

Reply with quote

Advertisement

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

The advice I had been given about the format of the Service Principal Name suggested that I use something of the form host/server.example.com@EXAMPLE.COM which you will see from my last reply did not work. I have now tried using values for the SPN prefixed with both ftp and sftp instead of host, but both of these get the same GSSAPI authentication error as the previous attempts.

I don't know if this will shed any further light on this problem, but thought I should pass on this additional information.

Please let me know if there is anything else that I could try.

Alf.

Reply with quote

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

Quest PuTTy also fails to use the Kerberos credentials stored in the Network Identity Manager. However, PuTTy-0.58-GSSAPI uses the stored credentials and connects quite happily without prompting for a password. The leading portion of the log file for Quest PuTTy has this information:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.06 14:07:21 =~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH raw data mode) to file: C:\Documents and Settings\alfp\Desktop\PuTTy_logs\putty_06_140721_avon1.its.unimelb.edu.au.log
Event Log: Looking up host "avon1.its.unimelb.edu.au"
Event Log: Connecting to 172.22.27.82 port 22
Incoming raw data
  00000000  53 53 48 2d 31 2e 39 39 2d 4f 70 65 6e 53 53 48  SSH-1.99-OpenSSH
  00000010  5f 33 2e 39 70 31 0a                             _3.9p1.
Event Log: Server version: SSH-1.99-OpenSSH_3.9p1
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.60_q1.129
Outgoing raw data
  00000000  53 53 48 2d 32 2e 30 2d 50 75 54 54 59 5f 52 65  SSH-2.0-PuTTY_Re
  00000010  6c 65 61 73 65 5f 30 2e 36 30 5f 71 31 2e 31 32  lease_0.60_q1.12
  00000020  39 0d 0a                                         9..
Event Log: SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
Event Log: Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
Event Log: GSSKEX disabled: The specified target is unknown or unreachable

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
while the PuTTy-0.58-GSSAPI log has:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.06 10:10:16 =~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH packets mode) to file: C:\Documents and Settings\alfp\Desktop\PuTTy_logs\putty_06_101016_avon1.its.unimelb.edu.au.log
Event Log: Looking up host "avon1.its.unimelb.edu.au"
Event Log: Connecting to 172.22.27.82 port 22
Event Log: Server version: SSH-1.99-OpenSSH_3.9p1
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.58_GSSAPI
Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
Does this provide any further clues to the problem?

Alf.

Reply with quote

martin
Site Admin
martin avatar

Re: Kerberos authentication not working with 4.1.0

Sorry, I really do not know how to help you :-( Maybe you can ask at Quest PuTTY forum. If you receive any help there, please let us know.

Reply with quote

Advertisement

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

I have now had a response on the Quest PuTTY forum that answers this problem. Quest PuTTY does not use the MIT Kerberos for Windows credentials. Instead, it uses credentials held in a Microsoft Credentials Cache. To get Kerberos authentication working in our environment I had to do the following:

1. Run the Windows Support Tools program ksetup multiple times:
ksetup /AddKdc <Realm Name> <Primary KDC name>
ksetup /AddKdc <Realm Name> <Secondary KDC name>
ksetup /AddKdc <Realm Name> <Tertiary KDC name>
ksetup /SetRealmFlags <Realm Name> Delegate
This identified our Kerberos realm and its Key Distribution Centres, and ensured that credentials could be forwarded.

2. The program (either Quest PuTTY or WinSCP 4.1.x) can then be run using runas:
runas /netonly /user:<username>@<Realm Name> <program>
which prompts for the Kerberos password in a Command window to establish credentials then starts the program. Additional sessions can be established against these credentials using the "Sessions -> New Session" or "Sessions -> Stored Sessions" navigation. However, a completely new instance of the program will not re-use these credentials - each runas command will prompt for the Kerberos password again.

Alternatively, the Kerberos username and password can be saved through the User Accounts control panel. If this is done, the program can be called directly rather than through runas. This option is obviously more convenient, but might be considered to be a security risk.

Irrespective of which of these ways WinSCP 4.1.x is connected to a Kerberos enabled host, selecting the "Open session in PuTTY" option (Ctrl-P) does not inherit the credentials – the Kerberos password will have to be entered again. Is this expected behaviour?

Alf.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,392
Location:
Prague, Czechia

Re: Kerberos authentication not working with 4.1.0

Thanks for sharing above information!

alfp wrote:

Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTY" option (Ctrl-P) does not inherit the credentials – the kerberos password will have to be entered again. Is this expected behaviour?
Do you have Quest PuTTY configured in WinSCP?

Reply with quote

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

martin wrote:

Do you have Quest PuTTY configured in WinSCP?
This was the problem. Quest PuTTY installs into C:\Program Files\Quest PuTTy\PuTTy\PuTTy.exe by default. Changing the preference setting (the existence of which I was unaware) to point to the Quest PuTTy fixes this.

Alf.

Reply with quote

Advertisement

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

Re: Kerberos authentication not working with 4.1.0

martin wrote:

BTW, supposing you understand the topic more than I do, would you update Kerberos-related documentation a bit?
I have added to the notes for the Kerberos authentication check box and the Service Principal Name field that describe our situation where the Kerberos realm is not in the AD. I don't know if this is also true for cases where the Kerberos realm is in the AD. Anyway, hopefully my additions are helpful.

Alf.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,392
Location:
Prague, Czechia

Re: Kerberos authentication not working with 4.1.0

alfp wrote:

I have added to the notes for the Kerberos authentication check box and the Service Principal Name field that describe our situation where the Kerberos realm is not in the AD. I don't know if this is also true for cases where the Kerberos realm is in the AD. Anyway, hopefully my additions are helpful.
Thanks, I appreciate it. I have just reformatted your text to follow the other doc style. BTW, AD stands for "Active Directory", I suppose?

Reply with quote

jp10558
Guest

So I'm really confused. I'm on Windows in an NT4 domain. With WinSCP 3.x, it basically just worked with MIT Kerberos for Windows 3.2.2. Now with the latest 4.1.7 version, it doesn't seem to work at all. No matter what instructions I try and follow, it doesn't ever pop up or use the Network Identity Manager tickets, and instead asks me for a password again...

Do I have to downgrade WinSCP to have it function?

Reply with quote

Advertisement

alfp
Joined:
Posts:
13
Location:
The University of Melbourne

@jp10558: The problem is with the underlying PuTTy that is used. WinSCP 4.0.x and earlier uses PuTTy-0.58-GSSAPI, which as you have seen interfaces with the MIT Kerberos for Windows. From version 4.1 of WinSCP, the PuTTy that is used is Quest-PuTTY-0.60-q1-129, which does not interface with MIT Kerberos for Windows. Instead, this version of PuTTy uses Windows own internal kerberos authentication. Even if you have MIT Kerberos for Windows running with a valid ticket cached, this newer PuTTy will not use it. If your kerberos realm is not in the Active Directory, you will have to configure WinSCP 4.1.x as described in Documentation -> Contents -> Configuration -> Login Dialog -> Attempt Kerberos 5 GSSAPI/SSPI Authentication. I am successfully using WinSCP 4.1.7 with kerberos authentication in a non-AD kerberos realm in the way described in the documentation.

Alf.

Reply with quote

Advertisement

You can post new topics in this forum