Noting that MobaXterm supports GSSAPI  https://www.mobatek.net/
In the Settings/SSH you have a choice of SSH Library :
Native Windows     MIT Kerberos     Custom Library

On Fri, 31 May 2019 at 17:25, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On pe, 31 touko 2019, Sumit Bose via FreeIPA-users wrote:
>On Fri, May 31, 2019 at 11:42:43AM -0300, Juan Pablo via FreeIPA-users wrote:
>> Hi, first of all: GSSAPI is not imported on openssh for windows
>> unfortunately. So you need to mandatory use putty to have GSSAPI kerberos
>> passwordless from windows to linux domain.
>
>Thanks, good to know. Is there a reference for this or do you know from
>your own experiments?
There is an experimental build with GSSAPI/SSPI support:
https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi


>> second, from which system on the windows side are you trying to login? can
>> you see if it works from the Active Directory server itself, please? IIRC,
>> you will have to allow the host/pc to delegate kerberos credentials (on
>> windows side). AD domain servers have kerberos ticket delegation enabled by
>> default, regular pc/hosts dont. maybe this is the case...
>
>You are right that delegation is not enabled by default but for just
>logging in this is not needed. For the login the client requests a
>service ticket and only this service ticket is send to the server for
>authentication. With delegation the Kerberos TGT (the ticket you get
>with kinit) is forwarded to the server as well so that it can be used on
>the remote host to authenticate against other services as well.
>
>bye,
>Sumit
>
>>
>> regards,
>> JP
>>
>> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<
>> freeipa-users@lists.fedorahosted.org>) escribió:
>>
>> > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
>> > > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
>> > > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users
>> > wrote:
>> > > >> On 23/05/2019 14:56, Rob Crittenden wrote:
>> > > >>> lejeczek via FreeIPA-users wrote:
>> > > >>>> hi guys,
>> > > >>>>
>> > > >>>> reading official guide one may assume - I do - that "Using SSH
>> > Without
>> > > >>>> Passwords" should work out-of-box (centos 7.6) - is such assumption
>> > valid?
>> > > >>>>
>> > > >>>> For me this does not work - ssh still asks for passwords.
>> > > >>>>
>> > > >>>> If this is due to some failure/problem, then where to look and how
>> > to
>> > > >>>> troubleshoot?
>> > > >>> It's hard to know what you're doing, ssh from where to where, using
>> > what?
>> > > >>>
>> > > >>> rob
>> > > >> I made an assumption - which I see now was invalid - that some experts
>> > > >> may know mentioned guide by heart and if I quoted something then the
>> > > >> rest will be obvious - wrong, sorry.
>> > > >>
>> > > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
>> > > >> Directory Machines for IdM Resources" which is about Kerberos I
>> > understand.
>> > > >>
>> > > >> My hope was to have AD's clients be able to ssh(and maybe get to other
>> > > >> things like Samba) without password and with Kerberos.
>> > > >>
>> > > >> I see IPA's users can do that between IPA's servers
>> > > >>
>> > > >> ...
>> > > >>
>> > > >> debug1: PAM: initializing for "tester1"
>> > > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
>> > > >> debug1: PAM: setting PAM_TTY to "ssh"
>> > > >> debug1: userauth-request for user tester1 service ssh-connection
>> > method
>> > > >> gssapi-with-mic [preauth]
>> > > >> debug1: attempt 1 failures 0 [preauth]
>> > > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>> > > >> [preauth]
>> > > >> debug1: Got no client credentials
>> > > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
>> > > >> /home/tester1/.k5login
>> > > >> Authorized to tester1, krb5 principal tester1@private
>> > > >> (ssh_gssapi_krb5_cmdok)
>> > > >> debug1: do_pam_account: called
>> > > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>> > > >> ...
>> > > >>
>> > > >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
>> > > >> user then I do not see above in the logs and such ssh(Win10 own
>> > feature)
>> > > >> is asked for password.
>> > > >>
>> > > >> To sum up: AD's users off/from Win AD win-stations to IPA's
>> > > >> members/clients with Kerberos if possible. (trust is already
>> > established
>> > > >> and running)
>> > > > Hi,
>> > > >
>> > > > having a trust is the first requirement. Second is a ssh client on the
>> > > > Windows side which can do GSSAPI authentication (recent version of
>> > putty
>> > > > can) and has GSSAPI authentication enabled (iirc this is not the
>> > default
>> > > > for putty, so you have to switch it on manually). Next is that you have
>> > > > to use the fully-qualified DNS name of the IPA client you want to login
>> > > > to. If all this is set and authentication still falls back to ask for a
>> > > > password plase check with the klist command on the Windows client in
>> > > > command.exe or the Powershell if you already got a service ticket for
>> > > > the IPA client. If this is missing please check if there is a
>> > > > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
>> > > > by the IPA realm, an '@' sign and the AD realm. If this is missing as
>> > > > well the issue is on the AD side and the client either does not try
>> > > > GSSAPI at all or it does not get a cross-realm ticket from the local
>> > DC.
>> > > >
>> > > > HTH
>> > > >
>> > > > bye,
>> > > > Sumit
>> > >
>> > > I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
>> > > (a member of win2016 AD domain).
>> > >
>> > > >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
>> > > there I see a mention of IPA domain.
>> > >
>> > > That is after a one-way trust was established from IPA's side,
>> > > successfully. DNS seems to work, users seem to work.
>> > >
>> > > My setup IPA is subdomain of AD.
>> > >
>> > > Win10Pro is 1903 with openssh-client installed as/from optional feature.
>> > > I think it does support gssapi.
>> >
>> > I haven't tried this ssh client so far. But typically
>> > GSSAPIAuthentication is not enalbed by default for openssh clients. Have
>> > you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen
>> > something GSSAPI related in the debug output?
>> >
>> > >
>> > > After a trust is established - do we need to create groups & mappings
>> > > for AD users for ssh/samba to work? Guide docs I saw I understand then
>> > > these are only required when one needs HBAC, correct?
>> >
>> > Yes.
>> >
>> > >
>> > > How to start troubleshooting?
>> > >
>> > > many thanks, L.
>> > >
>> > > >> many thanks, L.
>> > > >>
>> > > >>
>> > > >>
>> > > >> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>> > > >>       93059F241EEEE1D0769A85F455918ABF21224EBA
>> > > >> uid           lejeczek <peljasz@yahoo.co.uk>
>> > > >> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>> > > >> _______________________________________________
>> > > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > > >> To unsubscribe send an email to
>> > freeipa-users-leave@lists.fedorahosted.org
>> > > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > > >> List Guidelines:
>> > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > >> List Archives:
>> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> > > > _______________________________________________
>> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > > > To unsubscribe send an email to
>> > freeipa-users-leave@lists.fedorahosted.org
>> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > > > List Guidelines:
>> > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > List Archives:
>> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> > >
>> > >
>> >
>> > > pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>> > >       93059F241EEEE1D0769A85F455918ABF21224EBA
>> > > uid           lejeczek <peljasz@yahoo.co.uk>
>> > > sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>> >
>> > > _______________________________________________
>> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > > To unsubscribe send an email to
>> > freeipa-users-leave@lists.fedorahosted.org
>> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > List Archives:
>> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> > _______________________________________________
>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> >
>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org