EldoS | Feel safer!

Software components for data protection, secure storage and transfer

GSSAPI authentication fof SSH remote command execution

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#28393
Posted: 02/13/2014 05:55:50
by Venkat k (Basic support level)
Joined: 02/13/2014
Posts: 15

Hi,
Does this tool support GSSAPI authentication fof SSH remote command execution? I am looking for a tool that helps me executing (having an interactive session) with a linux host from my windows .Net application. Currently I am using plink through launching it as a command process, but I want to avoid the indirect root and want to have a native .Net library.

My requirement is that it should not ask for any password and should support kerberos authentication and should support an interactive session.

From the download, I could not find any GSSAPI supported samples.
Can someone provide me a code snippet to use GSSAPI.

Regards,
Venkat
#28394
Posted: 02/13/2014 06:02:40
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Our TElSimpleSSHClient supports GSSAPI. Please refer to next topic for a sample code: https://www.eldos.com/forum/read.php?FID=7&TID=2322
#28408
Posted: 02/14/2014 00:24:43
by Venkat k (Basic support level)
Joined: 02/13/2014
Posts: 15

Hi,
Thanks for the pointer.
I am still not able to connect using GSSAPI. here is my code snippet:
-----------------
SBGSSWinAuth.TElGSSWinAuthMechanism Mech =
new SBGSSWinAuth.TElGSSWinAuthMechanism();
Mech.AuthProtocols = SBSSHConstants.Unit.SSH1_AUTH_KERBEROS;
client.GSSMechanism = Mech;
client.AuthenticationTypes =
client.AuthenticationTypes | BSSHConstants.Unit.SSH_AUTH_TYPE_GSSAPI_KEYEX;
client.AuthenticationTypes = SBSSHConstants.Unit.SSH_AUTH_TYPE_GSSAPI_KEYEX;
client.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_GSS_GROUP_EXCHANGE, true);
client.set_KexAlgorithmPriorities(SBSSHConstants.Unit.SSH_KEX_GSS_GROUP_EXCHANGE, 1);
client.GSSDelegateCredentials = true;
client.Open();
-------------------

Here is the error I am getting:
-------------------------------
Server key received, fingerprint fdbbde76e9265ff2862bc82606c42f5c
SSH error 114
Connection failed due to exception: Connection lost (error code is 10058)
If you have ensured that all connection parameters are correct and you still can't connect,please contact EldoS support as described on http://www.eldos.com/sbb/support-tech.php
Remember to provide details about the error that happened.
Server software identified itself as : OpenSSH_5.3-84.1.el6-company.0
SSH connection closed
----------------------------
Please note that the GSSAPI authentication type SSH_AUTH_TYPE_GSSAPI_WITH_MIC is working though.

Am I missing something here?

Regards,
Venkat
#28410
Posted: 02/14/2014 03:27:30
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
Mech.AuthProtocols = SBSSHConstants.Unit.SSH1_AUTH_KERBEROS;

It is incorrect constant.
You should set apKerberos and/or apNTLM values, for example:
Code
Mech.AuthProtocols = SBGSSWinAuth.Unit.apKerberos

Also, you may need to handle TElGSSWinAuthMechanism.OnError event to get the GSS-API major and minor status codes.
And, you may need to set Client.GSSHostName with fully qualified domain name (FQDN).
#28411
Posted: 02/14/2014 06:02:30
by Venkat k (Basic support level)
Joined: 02/13/2014
Posts: 15

Hi,
Mech.AuthProtocols = SBGSSWinAuth.Unit.apKerberos

Error I got is Authentication type(4) failed. SSH error 114

The above didn't work. However removing hte line completely worked.
Not sure what is the default protocol it is used.

What is GSSHostName? Is it hte linux host which I am trying to connect through SSH?

Regards,
Venkat
#28412
Posted: 02/14/2014 06:43:34
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote
The above didn't work. However removing hte line completely worked.
Not sure what is the default protocol it is used.

By default, both NTLM and Kerberos authentication protocols are switched on.
Quote
What is GSSHostName? Is it hte linux host which I am trying to connect through SSH?

GSSHostName value for TElGSSWinAuthMechanism is transformed into a GSS service principal name (SPN) using a simple rule: if it is in form "hostname.com" then service name would be "host/hostname.com", if it is in form "service/host@REALM" then it will be used as is.
#28413
Posted: 02/14/2014 07:10:32
by Venkat k (Basic support level)
Joined: 02/13/2014
Posts: 15

>>By default, both NTLM and Kerberos authentication protocols are switched on.

Interestingly neither setting apKerberos nor apNTLM worked, but removing the line worked. Not sure how safe it is.

Sorry, I am new to kerberos stuff. Still not clear what value to input for hte GSShostname.

Is it my windows machine name / linux host that I am connecting / kdc / realm?

Regards,
Venakt
#28416
Posted: 02/14/2014 09:48:03
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Interestingly neither setting apKerberos nor apNTLM worked, but removing the line worked. Not sure how safe it is.

That's quite strange. Client chooses the supported key exchange algorithms and then reports them back to the server. Possible the server mistakenly requires that all algorithms are supported.
Could you please try: (so we can be sure that a problem not in property setter)
Code
Mech.AuthProtocols = SBGSSWinAuth.Unit.apKerberos | SBGSSWinAuth.Unit.apNTLM;

Quote
Sorry, I am new to kerberos stuff. Still not clear what value to input for hte GSShostname.
Is it my windows machine name / linux host that I am connecting / kdc / realm?

It is a target hostname. For example, you can connect to a server using ip address, but for GSS authentication you may need to enter its hostname/service principal name.
#28423
Posted: 02/17/2014 00:29:53
by Venkat k (Basic support level)
Joined: 02/13/2014
Posts: 15

Hi,
apKerberos is working. the issue is I set the KExAlgorithm proerty wrongly to SSH_KEX_DH_GROUP_EXCHANGE (testing different values) and hence thrown error.
After setting KexAlgorith to SSH_KEX_GSS_GROUP_EXCHANGE, it is working fine now.
Sorry for the confusion.

As I am trying to connect the host with the host name instead of IP address, it is working even if I leave the GSSHostName property blank.

Here is the working code snippet.
************************************
client.ForceCompression = dlg.cbCompress.Checked;
SBGSSWinAuth.TElGSSWinAuthMechanism Mech = new SBGSSWinAuth.TElGSSWinAuthMechanism();

Mech.AuthProtocols = SBGSSWinAuth.Unit.apKerberos;
client.GSSMechanism = Mech;

try
{
//client.AuthenticationTypes = SBSSHConstants.Unit.SSH_AUTH_TYPE_GSSAPI_WITH_MIC;

client.AuthenticationTypes = SBSSHConstants.Unit.SSH_AUTH_TYPE_GSSAPI_KEYEX;
client.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_GSS_GROUP_EXCHANGE, true);
client.set_KexAlgorithmPriorities(SBSSHConstants.Unit.SSH_KEX_GSS_GROUP_EXCHANGE, 1);

client.GSSDelegateCredentials = true;
client.Open();
}

Regards,
Venkat
#28427
Posted: 02/17/2014 04:07:05
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
apKerberos is working.

Great.
Quote
As I am trying to connect the host with the host name instead of IP address, it is working even if I leave the GSSHostName property blank.

In this case GSSHostName is taken from the Address property.

I suggest you to add OnError handler for GSS-API mechanism, for example:
Code
client.GSSMechanism.OnError += new TSBGSSErrorEvent(GSSMechanism_OnError);

void GSSMechanism_OnError(object Sender, string Operation, uint MajorStatus, uint MinorStatus, string MajorErrorMsg, string MinorErrorMsg)
{
            Log("Operation " + Operation + " failed", true);
            Log("GSS-API MajorStatus=" + SBUtils.Unit.IntToHex((int)MajorStatus, 8) + ", " + MajorErrorMsg, true);
            Log("GSS-API MinorStatus=" + SBUtils.Unit.IntToHex((int)MinorStatus, 8) + ", " + MinorErrorMsg, true);
}
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2516 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!