OpenSSH and Kerberos

July 25, 2011

linux

[Personal note to self:]

I’m assuming LDAP en Kerberos completely setup and configured and working. You get your TGT after a kinit, etc. And then you want to utilize Kerberos to password-less login using ssh.

I have a client machine foton.atoom.net, from this machine you want to login to the server. The server is elektron.atoom.net.

On the client the command, hostname -f should return the fqdn of your host, in my case:

$ hostname -f
foton.atoom.net

We’re are using the fqdn in the Kerberos configuration, so they should match. On the server, it should also return the fqdn:

$ hostname -f
elektron.atoom.net

Configuring Kerberos and OpenSSH

On foton.atoom.net aka the client, add a host principle and export the key:

# kadmin
kadmin: addprinc -randkey host/foton.atoom.net
kadmin: ktadd -k /tmp/foton.keytab host/foton.atoom.net
kadmin: exit
#

Now you should have the file /tmp/foton.keytab. This must be imported the server’s keytab file. In essence this file contains the password (set wth -randkey) for the host foton.atoom.net.

Next copy the file to the server:

# scp /tmp/foton.keytab miekg@elektron.atoom.net:/tmp

On the server elektron.atoom.net, you need to import the key file and then destroy it. A keytab file should be handled as a plain text password. Merging the keytab from foton.atoom.net with the existing keytab is done as follows, (maybe this can be done more efficient):

# ktulil
> ktutil: read_kt /etc/krb5.keytab
> ktutil: read_kt /tmp/foton.keytab
> ktutil: write_kt /etc/krb5.keytab1
> ktutil: quit
# mv /etc/krb5.keytab1 /etc/krb5.keytab
# rm /tmp/foton.keytab

In /etc/ssh/sshd_config you need the settings:

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

In Ubuntu installing openssh-server and Kerberos should be enough to have the basics.

And that … should be it. I’m testing this setup on another client to see if it really works and I have covered everything.

None