Closed zzbuzzard closed 5 months ago
@zzbuzzard, have you tried this using the latest release?
Hi, sorry I didn't do this initially - I found it difficult to find instructions for updating. Have managed it now though, and unfortunately have the same issue.
PS C:\Users\Z> ssh -V
OpenSSH_for_Windows_9.4p1, LibreSSL 3.7.3
PS C:\Users\Z> ssh -K [user]@[domain]
[user]@[domain]: Permission denied (publickey,gssapi-with-mic).
PS C:\Users\Z> plink -ssh [user]@[domain]
Using username "[user]".
Access granted. Press Return to begin session.
Windows 10 does not come with a kinit
command or anything equivalent (sadly)! You, therefore, appear to use the kinit
command of some independent Kerberos implementation (e.g. MIT Kerberos for Windows), i.e., something other than Microsoft's built-in SSPI, and OpenSSH for Windows wouldn't know anything about how to use its tickets.
To obtain a Kerberos ticket on Windows 10 for its built-in SSPI implementation, there are mainly three routes:
cmdkey.exe
command to do the same from the command lineNote that cmdkey
is not the same as kinit
: kinit
uses the password entered very briefly to decrypt the ticket-granting-ticket it receives, and then immediately forgets the password, whereas cmdkey
saves the password, such that SSPI can use it later to obtain a ticket-granting-ticket whenever one is needed. That's quite different, security-wise.
PuTTY, on the other hand can talk to either SSPI or MIT Kerberos for Windows, so unlike OpenSSH for Windows, it can also be used with MIT's kinit
command.
Note that while Windows does not have a kinit
command, it does have a klist
command. However, you appear to be using a non-Microsoft klist
command, presumably because it appears earlier in your PATH?
Thank you v helpful!
Prerequisites
Steps to reproduce
I am able to SSH in to a server
[user]@[domain]
which uses Kerberos using both PuTTY and WSL on my Windows 10 machine. However, mysteriously, using the exact same procedure I am unable to log in using OpenSSH.This appears to run successfully. I then run
ssh -K
, and fail to authenticate.Running these same commands in WSL on this machine succeeds, so I do have access this domain. Furthermore, I am able to log in via PuTTY using
plink
and MIT Kerberos (though if I understand correctly, I cannot use MIT Kerberos with OpenSSH).klist
output afterkinit
:I've been totally stuck on this for many hours now and would appreciate any help. Thank you!
Full output using -v
``` PS C:\Users\Z> ssh -K -v [user]@[domain] OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 debug1: Reading configuration data C:\\Users\\Z/.ssh/config debug1: Connecting to [domain] [128.232.69.28] port 22. debug1: Connection established. debug1: identity file C:\\Users\\Z/.ssh/id_rsa type 0 debug1: identity file C:\\Users\\Z/.ssh/id_rsa-cert type -1 debug1: identity file C:\\Users\\Z/.ssh/id_dsa type -1 debug1: identity file C:\\Users\\Z/.ssh/id_dsa-cert type -1 debug1: identity file C:\\Users\\Z/.ssh/id_ecdsa type -1 debug1: identity file C:\\Users\\Z/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\\Users\\Z/.ssh/id_ed25519 type -1 debug1: identity file C:\\Users\\Z/.ssh/id_ed25519-cert type -1 debug1: identity file C:\\Users\\Z/.ssh/id_xmss type -1 debug1: identity file C:\\Users\\Z/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 debug1: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to [domain]:22 as '[user]' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:Expected behavior
Actual behavior
Error details
No response
Environment data
Version
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
Visuals
No response