OpenSSH and Kerberos
[Personal note to self:]
I’m assuming LDAP en Kerberos completely setup and configured and working. You
get your TGT after a kinit, etc.
And then you want to utilize Kerberos to password-less login using ssh.
I have a client machine foton.atoom.net, from this machine you want to login
to the server.
The server is elektron.atoom.net.
On the client the command, hostname -f should return the fqdn of your host, in
my case:
$ hostname -f
foton.atoom.net
We’re are using the fqdn in the Kerberos configuration, so they should match. On the server, it should also return the fqdn:
$ hostname -f
elektron.atoom.net
Configuring Kerberos and OpenSSH⌗
On foton.atoom.net aka the client, add a host principle and export the key:
# kadmin
kadmin: addprinc -randkey host/foton.atoom.net
kadmin: ktadd -k /tmp/foton.keytab host/foton.atoom.net
kadmin: exit
#
Now you should have the file /tmp/foton.keytab. This must be imported the
server’s keytab file. In essence this file contains the password (set wth -randkey)
for the host foton.atoom.net.
Next copy the file to the server:
# scp /tmp/foton.keytab miekg@elektron.atoom.net:/tmp
On the server elektron.atoom.net, you need to import the key file and then
destroy it. A keytab file should be handled as a plain text password.
Merging the keytab from foton.atoom.net with the existing keytab is
done as follows, (maybe this can be done more efficient):
# ktulil
> ktutil: read_kt /etc/krb5.keytab
> ktutil: read_kt /tmp/foton.keytab
> ktutil: write_kt /etc/krb5.keytab1
> ktutil: quit
# mv /etc/krb5.keytab1 /etc/krb5.keytab
# rm /tmp/foton.keytab
In /etc/ssh/sshd_config you need the settings:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
In Ubuntu installing openssh-server and Kerberos should be enough to have the basics.
And that … should be it. I’m testing this setup on another client to see if it really works and I have covered everything.