4

I have a Windows client machine connected to Active Directory and a Linux server also connected to Active Directory (through PAM w/ LDAP), and I want to be able to do password-less SSH from Windows to Linux. SSH works fine as long as I provide the password for the AD account.

I found the following article which sort of gave me an idea of how it can be done, but I can't get it to work: http://www.moelinux.net/wordpress/?p=95

What I've tried is the following (based on the above article):

  1. (on the client) Export my AD certificate into a .PFX file
  2. Convert the .PFX to an id_rsa file using the following command: openssl pkcs12 -in somefile.pfx -out id_rsa
  3. Strip id_rsa of the password using the following command: openssl rsa -in id_rsa -out id_rsa
  4. Generate public key using the following command: ssh-keygen -y -f id_rsa > id_rsa.pub
  5. (on the server) The same routine as above, so I have identical ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub on client and server.

As you might guess, this doesn't work. I still have to input my password. Where might I have gone wrong?

(What I am really trying to accomplish is setting up a way of connecting from Windows to Linux with an AD account, as seamlessly as possible. This seems like the best way to do it, but if there are other ways, I'm open to ideas :-))

Christian Palmstierna
  • 143
  • 1
  • 4

1 Answers1

7

You are confusing X.509 certificates with RSA keys. They are totally different implementations of PKI. Since both your client and SSH server are domain members, though, I'd say forget the keys and use Kerberos/GSSAPI. In /etc/ssh/sshd_config on the server, you should find a directive, GSSAPIAuthentication, uncomment it and change the value to yes. Restart the SSH daemon after saving the change.

For the client, you need the latest PuTTY (0.61) or OpenSSH. PuTTY has GSSAPI enabled by default, so just enter the hostname of the SSH server (IP address will not work) and hit connect.

AdmiralNemo
  • 838
  • 1
  • 7
  • 11
  • Ah, I see. So there's no "conversion" between X.509 and RSA keys. – Christian Palmstierna Dec 06 '11 at 08:42
  • Well, now when I SSH using an AD account, it tries to authenticate using GSSAPI and it seems to hit the Domain Controller, but gets rejected. SSHD outputs "Postponed gssapi-with-mic", and the client is asked for a password. Any ideas on how to debug this? :( – Christian Palmstierna Dec 06 '11 at 14:31
  • Check the PuTTY event log (click the window icon and click Event Log). You could also increase the `LogLevel` directive in `sshd_config` – AdmiralNemo Dec 06 '11 at 14:47
  • Finally got it working. It was Putty that just didn't use the certificate. Installed Quest Putty instead and it worked like a charm :) – Christian Palmstierna Dec 06 '11 at 16:17
  • Have you used PuTTY 0.61? As far as I know this version fully implements GSSAPI. Maybe you have to reorder the libraries in the GSSAPI configuration in PuTTY. – Manuel Faux Jan 08 '12 at 10:58