Topic "Kerberos authentication not working with 4.1.0"

Author Message
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
I have one server that I have been connecting to successfully with Kerberos 5 authentication using WinSCP 4.0.7.

After installing 4.1.0(build 375) I am now being asked for a password every time I connect, despite having a valid ticket in the Network Identity Manager. I have checked that the "Attempt GSSAPI/SSPI" option has been checked for this stored session and that the correct "Service principal name" has been entered. Is there any other setting that needs to be altered in order to use Kerberos 5 authentication in 4.1.0?

OS: WinXP SP2
Interface: Explorer

Alf.
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
What if you enter nothing into the password prompt?
Can you also post a log file?
_________________
Martin Prikryl
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
What if you enter nothing into the password prompt?
Can you also post a log file?


Entering an empty password fails. Connection is only completed after entering the password. The log file follows below. Note, that current credentials for alfp@unimelb.edu.au and alfp@athena.unimelb.edu.au were available in my Network Identity Manager, but it is the latter one that is required for the connection being attempted. Log output:

. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.093 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 16:30:43.093 Login time: Wednesday, 23 April 2008 4:30:43 PM
. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.093 Session name: avon1
. 2008-04-23 16:30:43.093 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 16:30:43.093 User name: alfp (Password: No, Key file: No)
. 2008-04-23 16:30:43.093 Tunnel: No
. 2008-04-23 16:30:43.093 Transfer Protocol: SFTP
. 2008-04-23 16:30:43.093 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 16:30:43.093 Proxy: none
. 2008-04-23 16:30:43.093 SSH protocol version: 2; Compression: No
. 2008-04-23 16:30:43.093 Bypass authentication: No
. 2008-04-23 16:30:43.093 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 16:30:43.093 GSSAPI: Forwarding: Yes; Server realm: athena.unimelb.edu.au
. 2008-04-23 16:30:43.093 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 16:30:43.093 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 16:30:43.093 SFTP Bugs: -,-
. 2008-04-23 16:30:43.093 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 16:30:43.093 Shell: default, EOL: 0
. 2008-04-23 16:30:43.093 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 16:30:43.093 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 16:30:43.093 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 16:30:43.093 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 16:30:43.093 DST mode: 1
. 2008-04-23 16:30:43.093 --------------------------------------------------------------------------
. 2008-04-23 16:30:43.171 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 16:30:43.171 Connecting to 172.22.27.82 port 22
. 2008-04-23 16:30:43.187 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 16:30:43.187 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 16:30:43.203 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 16:30:43.203 Warning: no '/' found in SPN athena.unimelb.edu.au
. 2008-04-23 16:30:43.203 Constructed service principal name 'athena.unimelb.edu.au'
. 2008-04-23 16:30:43.203 GSSKEX disabled: The specified target is unknown or unreachable

. 2008-04-23 16:30:43.203 Using SSH protocol version 2
. 2008-04-23 16:30:43.203 Doing Diffie-Hellman group exchange
. 2008-04-23 16:30:43.250 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 16:30:43.437 Host key fingerprint is:
. 2008-04-23 16:30:43.437 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 16:30:43.437 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 16:30:43.437 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 16:30:43.437 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 16:30:43.437 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 16:30:43.484 Using username "alfp".
. 2008-04-23 16:30:43.546 SSPI: trying user_name='alfp' service=''
. 2008-04-23 16:30:43.546 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 16:30:43.546 Warning: no '/' found in SPN athena.unimelb.edu.au
. 2008-04-23 16:30:43.546 Constructed service principal name 'athena.unimelb.edu.au'
! 2008-04-23 16:30:43.546 Using GSSAPI service principal name "athena.unimelb.edu.au".
. 2008-04-23 16:30:43.593 InitializeSecurityContext: The specified target is unknown or unreachable

. 2008-04-23 16:30:43.593 GSSAPI authentication aborted
. 2008-04-23 16:30:43.593 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:30:47.484 Sent password
! 2008-04-23 16:30:47.484 Access denied
. 2008-04-23 16:30:47.484 Access denied
. 2008-04-23 16:30:47.484 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:15.218 Sent password
! 2008-04-23 16:31:15.218 Access denied
. 2008-04-23 16:31:15.218 Access denied
. 2008-04-23 16:31:15.218 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:25.437 Sent password
! 2008-04-23 16:31:27.984 Access denied
. 2008-04-23 16:31:27.984 Access denied
. 2008-04-23 16:31:27.984 Prompt (6, SSH password, , &Password: )
. 2008-04-23 16:31:45.843 Sent password
. 2008-04-23 16:31:46.078 Access granted
. 2008-04-23 16:31:47.015 Opened channel for session
. 2008-04-23 16:31:47.015 Started a shell/command
. 2008-04-23 16:31:47.015 --------------------------------------------------------------------------
. 2008-04-23 16:31:47.015 Using SFTP protocol.
. 2008-04-23 16:31:47.015 Doing startup conversation with host.
> 2008-04-23 16:31:47.015 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2008-04-23 16:31:47.765 Type: SSH_FXP_VERSION, Size: 5, Number: -1
. 2008-04-23 16:31:47.765 SFTP version 3 negotiated.
. 2008-04-23 16:31:47.765 We believe the server has signed timestamps bug
. 2008-04-23 16:31:47.765 We will use UTF-8 strings for status messages only
. 2008-04-23 16:31:47.765 Limiting packet size to OpenSSH sftp-server limit of 262148 bytes
. 2008-04-23 16:31:47.765 Getting current directory name.
. 2008-04-23 16:31:47.765 Getting real path for '.'
> 2008-04-23 16:31:47.765 Type: SSH_FXP_REALPATH, Size: 10, Number: 16
< 2008-04-23 16:31:47.765 Type: SSH_FXP_NAME, Size: 97, Number: 16
. 2008-04-23 16:31:47.765 Real path is '/afs/athena.unimelb.edu.au/user/a/alfp'
. 2008-04-23 16:31:47.765 Listing directory "/afs/athena.unimelb.edu.au/user/a/alfp".
> 2008-04-23 16:31:47.765 Type: SSH_FXP_OPENDIR, Size: 47, Number: 267
< 2008-04-23 16:31:47.765 Type: SSH_FXP_HANDLE, Size: 13, Number: 267
> 2008-04-23 16:31:47.765 Type: SSH_FXP_READDIR, Size: 13, Number: 524
< 2008-04-23 16:31:49.703 Type: SSH_FXP_NAME, Size: 6797, Number: 524
> 2008-04-23 16:31:49.703 Type: SSH_FXP_READDIR, Size: 13, Number: 780
. 2008-04-23 16:31:49.703 Reading symlink ".profile".
> 2008-04-23 16:31:49.703 Type: SSH_FXP_READLINK, Size: 56, Number: 1043
> 2008-04-23 16:31:49.703 Type: SSH_FXP_STAT, Size: 56, Number: 1297
< 2008-04-23 16:31:49.703 Type: SSH_FXP_STATUS, Size: 28, Number: 780
. 2008-04-23 16:31:49.703 Storing reserved response
< 2008-04-23 16:31:49.703 Type: SSH_FXP_NAME, Size: 57, Number: 1043
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 1297
. 2008-04-23 16:31:49.890 Reading symlink ".cvs_editor".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 59, Number: 1555
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 59, Number: 1809
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 63, Number: 1555
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 1809
. 2008-04-23 16:31:49.890 Reading symlink ".oracle_editor".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 62, Number: 2067
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 62, Number: 2321
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 69, Number: 2067
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 2321
. 2008-04-23 16:31:49.890 Reading symlink ".Xdefaults".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 58, Number: 2579
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 58, Number: 2833
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 61, Number: 2579
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 2833
. 2008-04-23 16:31:49.890 Reading symlink ".setup".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 54, Number: 3091
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 54, Number: 3345
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 53, Number: 3091
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 3345
. 2008-04-23 16:31:49.890 Reading symlink ".tcsh-bindings".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 62, Number: 3603
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 62, Number: 3857
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 69, Number: 3603
< 2008-04-23 16:31:49.890 Type: SSH_FXP_ATTRS, Size: 37, Number: 3857
. 2008-04-23 16:31:49.890 Reading symlink ".vilemenu".
> 2008-04-23 16:31:49.890 Type: SSH_FXP_READLINK, Size: 57, Number: 4115
> 2008-04-23 16:31:49.890 Type: SSH_FXP_STAT, Size: 57, Number: 4369
< 2008-04-23 16:31:49.890 Type: SSH_FXP_NAME, Size: 59, Number: 4115
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 4369
. 2008-04-23 16:31:49.906 Reading symlink ".vilerc".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 55, Number: 4627
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 55, Number: 4881
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 55, Number: 4627
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 4881
. 2008-04-23 16:31:49.906 Reading symlink ".xmenu.dat".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 58, Number: 5139
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 58, Number: 5393
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 61, Number: 5139
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 5393
. 2008-04-23 16:31:49.906 Reading symlink "manlist.sh".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 58, Number: 5651
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 58, Number: 5905
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 61, Number: 5651
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 5905
. 2008-04-23 16:31:49.906 Reading symlink "oracle".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 54, Number: 6163
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 54, Number: 6417
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 53, Number: 6163
< 2008-04-23 16:31:49.906 Type: SSH_FXP_ATTRS, Size: 37, Number: 6417
. 2008-04-23 16:31:49.906 Reading symlink "perl_scripts".
> 2008-04-23 16:31:49.906 Type: SSH_FXP_READLINK, Size: 60, Number: 6675
> 2008-04-23 16:31:49.906 Type: SSH_FXP_STAT, Size: 60, Number: 6929
< 2008-04-23 16:31:49.906 Type: SSH_FXP_NAME, Size: 65, Number: 6675
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 6929
. 2008-04-23 16:31:49.921 Reading symlink "sqlplus_setup_X".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 63, Number: 7187
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 63, Number: 7441
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 71, Number: 7187
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 7441
. 2008-04-23 16:31:49.921 Reading symlink "sqlplus_setup_non_X".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 67, Number: 7699
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 67, Number: 7953
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 79, Number: 7699
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 7953
. 2008-04-23 16:31:49.921 Reading symlink ".tcshrc".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 55, Number: 8211
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 55, Number: 8465
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 55, Number: 8211
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 8465
. 2008-04-23 16:31:49.921 Reading symlink ".login".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 54, Number: 8723
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 54, Number: 8977
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 53, Number: 8723
< 2008-04-23 16:31:49.921 Type: SSH_FXP_ATTRS, Size: 37, Number: 8977
. 2008-04-23 16:31:49.921 Reading symlink ".a2ps".
> 2008-04-23 16:31:49.921 Type: SSH_FXP_READLINK, Size: 53, Number: 9235
> 2008-04-23 16:31:49.921 Type: SSH_FXP_STAT, Size: 53, Number: 9489
< 2008-04-23 16:31:49.921 Type: SSH_FXP_NAME, Size: 51, Number: 9235
< 2008-04-23 16:31:49.937 Type: SSH_FXP_ATTRS, Size: 37, Number: 9489
< 2008-04-23 16:31:49.937 Status/error code: 1
> 2008-04-23 16:31:49.937 Type: SSH_FXP_CLOSE, Size: 13, Number: 9732
. 2008-04-23 16:31:49.937 Startup conversation with host finished.
. 2008-04-23 16:32:13.468 Closing connection.


Alf.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
First, I know very little about Kerberos Smile
In 4.1 implementation of Kerberos has changed because existing implementation does not exist for PuTTY 0.60.
Now WinSCP uses Kerberos implementation from Quest PuTTY. According to their documentation the Service Principal Name should be in format: ftp/server.example.com@EXAMPLE.COM
Also see related entry in log file:
Quote:
Warning: no '/' found in SPN athena.unimelb.edu.au

Maybe this gives you some hint?
_________________
Martin Prikryl
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
First, I know very little about Kerberos :-)
In 4.1 implementation of Kerberos has changed because existing implementation does not exist for PuTTY 0.60.
Now WinSCP uses Kerberos implementation from Quest PuTTY. According to their documentation the Service Principal Name should be in format: ftp/server.example.com@EXAMPLE.COM
Also see related entry in log file:
Quote:
Warning: no '/' found in SPN athena.unimelb.edu.au

Maybe this gives you some hint?


Yes, I also noticed that in the log that I posted. After talking to one of our systems programmers, I have also tried setting the service principal name to host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU with essentially the same result. Leading part of log from this attempt is:


. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.546 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 17:11:18.546 Login time: Wednesday, 23 April 2008 5:11:18 PM
. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.546 Session name: avon1
. 2008-04-23 17:11:18.546 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 17:11:18.546 User name: alfp (Password: No, Key file: No)
. 2008-04-23 17:11:18.546 Tunnel: No
. 2008-04-23 17:11:18.546 Transfer Protocol: SFTP
. 2008-04-23 17:11:18.546 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 17:11:18.546 Proxy: none
. 2008-04-23 17:11:18.546 SSH protocol version: 2; Compression: No
. 2008-04-23 17:11:18.546 Bypass authentication: No
. 2008-04-23 17:11:18.546 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 17:11:18.546 GSSAPI: Forwarding: Yes; Server realm: host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU
. 2008-04-23 17:11:18.546 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 17:11:18.546 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 17:11:18.546 SFTP Bugs: -,-
. 2008-04-23 17:11:18.546 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 17:11:18.546 Shell: default, EOL: 0
. 2008-04-23 17:11:18.546 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 17:11:18.546 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 17:11:18.546 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 17:11:18.546 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 17:11:18.546 DST mode: 1
. 2008-04-23 17:11:18.546 --------------------------------------------------------------------------
. 2008-04-23 17:11:18.625 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 17:11:18.640 Connecting to 172.22.27.82 port 22
. 2008-04-23 17:11:18.640 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 17:11:18.640 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 17:11:18.656 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:11:18.656 Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
. 2008-04-23 17:11:18.656 GSSKEX disabled: The specified target is unknown or unreachable

. 2008-04-23 17:11:18.656 Using SSH protocol version 2
. 2008-04-23 17:11:18.656 Doing Diffie-Hellman group exchange
. 2008-04-23 17:11:18.703 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 17:11:18.890 Host key fingerprint is:
. 2008-04-23 17:11:18.890 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 17:11:18.890 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 17:11:18.890 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 17:11:18.890 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 17:11:18.890 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 17:11:18.921 Using username "alfp".
. 2008-04-23 17:11:19.000 SSPI: trying user_name='alfp' service=''
. 2008-04-23 17:11:19.000 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:11:19.000 Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
! 2008-04-23 17:11:19.000 Using GSSAPI service principal name "host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU".
. 2008-04-23 17:11:19.031 InitializeSecurityContext: The specified target is unknown or unreachable

. 2008-04-23 17:11:19.031 GSSAPI authentication aborted
. 2008-04-23 17:11:19.031 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:11:27.906 Sent password
! 2008-04-23 17:11:27.906 Access denied
. 2008-04-23 17:11:27.906 Access denied
. 2008-04-23 17:11:27.906 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:11:46.140 Sent password
. 2008-04-23 17:11:46.484 Access granted
. 2008-04-23 17:11:47.093 Opened channel for session
. 2008-04-23 17:11:47.093 Started a shell/command
. 2008-04-23 17:11:47.093 --------------------------------------------------------------------------
. 2008-04-23 17:11:47.093 Using SFTP protocol.






I also tried with the service principal name left blank. The leading part of the log from this attempt is:


. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.515 WinSCP Version 4.1.0 (Build 375) (OS 5.1.2600 Service Pack 2)
. 2008-04-23 17:24:01.515 Login time: Wednesday, 23 April 2008 5:24:01 PM
. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.515 Session name: avon1
. 2008-04-23 17:24:01.515 Host name: avon1.its.unimelb.edu.au (Port: 22)
. 2008-04-23 17:24:01.515 User name: alfp (Password: No, Key file: No)
. 2008-04-23 17:24:01.515 Tunnel: No
. 2008-04-23 17:24:01.515 Transfer Protocol: SFTP
. 2008-04-23 17:24:01.515 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2008-04-23 17:24:01.515 Proxy: none
. 2008-04-23 17:24:01.515 SSH protocol version: 2; Compression: No
. 2008-04-23 17:24:01.515 Bypass authentication: No
. 2008-04-23 17:24:01.515 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2008-04-23 17:24:01.515 GSSAPI: Forwarding: Yes; Server realm:
. 2008-04-23 17:24:01.515 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2008-04-23 17:24:01.515 SSH Bugs: -,-,-,-,-,-,-,-
. 2008-04-23 17:24:01.515 SFTP Bugs: -,-
. 2008-04-23 17:24:01.515 Return code variable: Autodetect; Lookup user groups: Yes
. 2008-04-23 17:24:01.515 Shell: default, EOL: 0
. 2008-04-23 17:24:01.515 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2008-04-23 17:24:01.515 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2008-04-23 17:24:01.515 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2008-04-23 17:24:01.515 Cache directory changes: Yes, Permanent: Yes
. 2008-04-23 17:24:01.515 DST mode: 1
. 2008-04-23 17:24:01.515 --------------------------------------------------------------------------
. 2008-04-23 17:24:01.609 Looking up host "avon1.its.unimelb.edu.au"
. 2008-04-23 17:24:01.609 Connecting to 172.22.27.82 port 22
. 2008-04-23 17:24:01.671 Server version: SSH-1.99-OpenSSH_3.9p1
. 2008-04-23 17:24:01.671 We claim version: SSH-2.0-WinSCP_release_4.1
. 2008-04-23 17:24:01.687 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:24:01.687 Constructed service principal name 'host/avon1.its.unimelb.edu.au'
. 2008-04-23 17:24:01.687 GSSKEX disabled: The specified target is unknown or unreachable

. 2008-04-23 17:24:01.687 Using SSH protocol version 2
. 2008-04-23 17:24:01.687 Doing Diffie-Hellman group exchange
. 2008-04-23 17:24:01.734 Doing Diffie-Hellman key exchange with hash SHA-1
. 2008-04-23 17:24:01.921 Host key fingerprint is:
. 2008-04-23 17:24:01.921 ssh-rsa 1024 52:85:41:3c:eb:3f:13:58:d3:71:dc:e7:57:c0:3e:01
. 2008-04-23 17:24:01.921 Initialised AES-256 SDCTR client->server encryption
. 2008-04-23 17:24:01.921 Initialised HMAC-SHA1 client->server MAC algorithm
. 2008-04-23 17:24:01.921 Initialised AES-256 SDCTR server->client encryption
. 2008-04-23 17:24:01.921 Initialised HMAC-SHA1 server->client MAC algorithm
! 2008-04-23 17:24:01.968 Using username "alfp".
. 2008-04-23 17:24:02.046 SSPI: trying user_name='alfp' service=''
. 2008-04-23 17:24:02.046 SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
. 2008-04-23 17:24:02.046 Constructed service principal name 'host/avon1.its.unimelb.edu.au'
! 2008-04-23 17:24:02.046 Using GSSAPI service principal name "host/avon1.its.unimelb.edu.au".
. 2008-04-23 17:24:02.093 InitializeSecurityContext: The specified target is unknown or unreachable

. 2008-04-23 17:24:02.093 GSSAPI authentication aborted
. 2008-04-23 17:24:02.093 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:24:04.203 Sent password
! 2008-04-23 17:24:04.203 Access denied
. 2008-04-23 17:24:04.203 Access denied
. 2008-04-23 17:24:04.203 Prompt (6, SSH password, , &Password: )
. 2008-04-23 17:24:11.109 Sent password
. 2008-04-23 17:24:11.406 Access granted
. 2008-04-23 17:24:12.187 Opened channel for session
. 2008-04-23 17:24:12.187 Started a shell/command
. 2008-04-23 17:24:12.203 --------------------------------------------------------------------------
. 2008-04-23 17:24:12.203 Using SFTP protocol.



Let me know if there is anything else you would like me to try.

Alf.
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
First, I know very little about Kerberos :-)
In 4.1 implementation of Kerberos has changed because existing implementation does not exist for PuTTY 0.60.
Now WinSCP uses Kerberos implementation from Quest PuTTY. According to their documentation the Service Principal Name should be in format: ftp/server.example.com@EXAMPLE.COM
Also see related entry in log file:
Quote:
Warning: no '/' found in SPN athena.unimelb.edu.au

Maybe this gives you some hint?


The advice I had been given about the format of the Service Principal Name suggested that I use something of the form host/server.example.com@EXAMPLE.COM which you will see from my last reply did not work. I have now tried using values for the SPN prefixed with both ftp and sftp instead of host, but both of these get the same GSSAPI authentication error as the previous attempts.

I don't know if this will shed any further light on this problem, but thought I should pass on this additional information.

Please let me know if there is anything else that I could try.

Alf.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Can you try to login with Quest PuTTY itself?
_________________
Martin Prikryl
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
Can you try to login with Quest PuTTY itself?


Quest PuTTy also fails to use the Kerberos credentials stored in the Network Identity Manager. However, PuTTy-0.58-GSSAPI uses the stored credentials and connects quite happily without prompting for a password. The leading portion of the log file for Quest PuTTy has this information:


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.06 14:07:21 =~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH raw data mode) to file: C:\Documents and Settings\alfp\Desktop\PuTTy_logs\putty_06_140721_avon1.its.unimelb.edu.au.log
Event Log: Looking up host "avon1.its.unimelb.edu.au"
Event Log: Connecting to 172.22.27.82 port 22
Incoming raw data
00000000 53 53 48 2d 31 2e 39 39 2d 4f 70 65 6e 53 53 48 SSH-1.99-OpenSSH
00000010 5f 33 2e 39 70 31 0a _3.9p1.
Event Log: Server version: SSH-1.99-OpenSSH_3.9p1
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.60_q1.129
Outgoing raw data
00000000 53 53 48 2d 32 2e 30 2d 50 75 54 54 59 5f 52 65 SSH-2.0-PuTTY_Re
00000010 6c 65 61 73 65 5f 30 2e 36 30 5f 71 31 2e 31 32 lease_0.60_q1.12
00000020 39 0d 0a 9..
Event Log: SSPI: acquired credentials for: alfp@UNIMELB.EDU.AU
Event Log: Constructed service principal name 'host/avon1.its.unimelb.edu.au@ATHENA.UNIMELB.EDU.AU'
Event Log: GSSKEX disabled: The specified target is unknown or unreachable

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)



while the PuTTy-0.58-GSSAPI log has:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.06 10:10:16 =~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH packets mode) to file: C:\Documents and Settings\alfp\Desktop\PuTTy_logs\putty_06_101016_avon1.its.unimelb.edu.au.log
Event Log: Looking up host "avon1.its.unimelb.edu.au"
Event Log: Connecting to 172.22.27.82 port 22
Event Log: Server version: SSH-1.99-OpenSSH_3.9p1
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.58_GSSAPI
Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)




Does this provide any further clues to the problem?

Alf.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Sorry, I really do not know how to help you Sad Maybe you can ask at Quest PuTTY forum. If you receive any help there, please let us know.
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
Sorry, I really do not know how to help you :-( Maybe you can ask at Quest PuTTY forum. If you receive any help there, please let us know.


I have now had a response on the Quest PuTTY forum that answers this problem. Quest PuTTy does not use the MIT Kerberos for Windows credentials. Instead, it uses credentials held in a Microsoft Credentials Cache. To get kerberos authentication working in our environment I had to do the following:

1. Run the Windows Support Tools program ksetup multiple times:

ksetup /AddKdc <Realm Name> <Primary KDC name>
ksetup /AddKdc <Realm Name> <Secondary KDC name>
ksetup /AddKdc <Realm Name> <Tertiary KDC name>
ksetup /SetRealmFlags <Realm Name> Delegate

This identified our Kerberos realm and its Key Distribution Centres, and ensured that credentials could be forwarded.

2. The program (either Quest PuTTy or WinSCP 4.1.x) can then be run using "runas":

runas /netonly /user:<username>@<Realm Name> <program>

which prompts for the kerberos password in a Command window to establish credentials then starts the program. Additional sessions can be established against these credentials using the "Sessions -> New Session" or "Sessions -> Stored Sessions" navigation. However, a completely new instance of the program will not re-use these credentials - each "runas" command will prompt for the kerberos password again.

Alternatively, the kerberos username and password can be saved through the User Accounts control panel. If this is done, the program can be called directly rather than through "runas". This option is obviously more convenient, but might be considered to be a security risk.

Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTy" option (Ctrl-P) does not inherit the credentials - the kerberos password will have to be entered again. Is this expected behaviour?

Alf.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Thanks for sharing above information!

alfp wrote:
Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTy" option (Ctrl-P) does not inherit the credentials - the kerberos password will have to be entered again. Is this expected behaviour?

Do you have Quest PuTTY configured in WinSCP?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
prikryl wrote:
Thanks for sharing above information!

alfp wrote:
Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTy" option (Ctrl-P) does not inherit the credentials - the kerberos password will have to be entered again. Is this expected behaviour?

Do you have Quest PuTTY configured in WinSCP?


BTW, supposing you understand the topic more than I do, would you update Kerberos-related documentation a bit?
_________________
Martin Prikryl
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
Thanks for sharing above information!

alfp wrote:
Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTy" option (Ctrl-P) does not inherit the credentials - the kerberos password will have to be entered again. Is this expected behaviour?

Do you have Quest PuTTY configured in WinSCP?


This was the problem. Quest PuTTy installs into C:\Program Files\Quest PuTTy\PuTTy\PuTTy.exe by default. Changing the preference setting (the existence of which I was unaware) to point to the Quest PuTTy fixes this.

Alf.
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
prikryl wrote:
Thanks for sharing above information!

alfp wrote:
Irrespective of which of these ways WinSCP 4.1.x is connected to a kerberos enabled host, selecting the "Open session in PuTTy" option (Ctrl-P) does not inherit the credentials - the kerberos password will have to be entered again. Is this expected behaviour?

Do you have Quest PuTTY configured in WinSCP?


BTW, supposing you understand the topic more than I do, would you update Kerberos-related documentation a bit?


I have added to the notes for the Kerberos authentication check box and the Service Principal Name field that describe our situation where the Kerberos realm is not in the AD. I don't know if this is also true for cases where the Kerberos realm is in the AD. Anyway, hopefully my additions are helpful.

Alf.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
alfp wrote:
I have added to the notes for the Kerberos authentication check box and the Service Principal Name field that describe our situation where the Kerberos realm is not in the AD. I don't know if this is also true for cases where the Kerberos realm is in the AD. Anyway, hopefully my additions are helpful.

Thanks, I appreciate it. I have just reformatted your text to follow the other doc style. BTW, AD stands for "Active Directory", I suppose?
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
prikryl wrote:
alfp wrote:
I have added to the notes for the Kerberos authentication check box and the Service Principal Name field that describe our situation where the Kerberos realm is not in the AD. I don't know if this is also true for cases where the Kerberos realm is in the AD. Anyway, hopefully my additions are helpful.

Thanks, I appreciate it. I have just reformatted your text to follow the other doc style. BTW, AD stands for "Active Directory", I suppose?


Yes, AD is Active Directory.

Alf.
jp10558

Guest


So I'm really confused. I'm on Windows in an NT4 domain. With WinSCP 3.x, it basically just worked with MIT Kerberos for Windows 3.2.2. Now with the latest 4.1.7 version, it doesn't seem to work at all. No matter what instructions I try and follow, it doesn't ever pop up or use the Network Identity Manager tickets, and instead asks me for a password again...

Do I have to downgrade WinSCP to have it function?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
jp10558 wrote:
Do I have to downgrade WinSCP to have it function?

It is at least worth trying.
_________________
Martin Prikryl
alfp
[View user's profile]

Joined: 2008-02-14
Posts: 13
Location: The University of Melbourne
jp10558 wrote:
So I'm really confused. I'm on Windows in an NT4 domain. With WinSCP 3.x, it basically just worked with MIT Kerberos for Windows 3.2.2. Now with the latest 4.1.7 version, it doesn't seem to work at all. No matter what instructions I try and follow, it doesn't ever pop up or use the Network Identity Manager tickets, and instead asks me for a password again...

Do I have to downgrade WinSCP to have it function?


The problem is with the underlying PuTTy that is used. WinSCP 4.0.x and earlier uses PuTTy-0.58-GSSAPI, which as you have seen interfaces with the MIT Kerberos for Windows. From version 4.1 of WinSCP, the PuTTy that is used is Quest-PuTTY-0.60-q1-129, which does not interface with MIT Kerberos for Windows. Instead, this version of PuTTy uses Windows own internal kerberos authentication. Even if you have MIT Kerberos for Windows running with a valid ticket cached, this newer PuTTy will not use it. If your kerberos realm is not in the Active Directory, you will have to configure WinSCP 4.1.x as described in Documentation -> Contents -> Configuration -> Login Dialog -> Attempt Kerberos 5 GSSAPI/SSPI Authentication. I am successfully using WinSCP 4.1.7 with kerberos authentication in a non-AD kerberos realm in the way described in the documentation.

Alf.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License