OpenSSH and Kerberos

July 25, 2011


[Personal note to self:]

I’m assuming LDAP en Kerberos completely setup and configured and working. You get your TGT after a kinit, etc. And then you want to utilize Kerberos to password-less login using ssh.

I have a client machine, from this machine you want to login to the server. The server is

On the client the command, hostname -f should return the fqdn of your host, in my case:

$ hostname -f

We’re are using the fqdn in the Kerberos configuration, so they should match. On the server, it should also return the fqdn:

$ hostname -f

Configuring Kerberos and OpenSSH

On aka the client, add a host principle and export the key:

# kadmin
kadmin: addprinc -randkey host/
kadmin: ktadd -k /tmp/foton.keytab host/
kadmin: exit

Now you should have the file /tmp/foton.keytab. This must be imported the server’s keytab file. In essence this file contains the password (set wth -randkey) for the host

Next copy the file to the server:

# scp /tmp/foton.keytab

On the server, you need to import the key file and then destroy it. A keytab file should be handled as a plain text password. Merging the keytab from with the existing keytab is done as follows, (maybe this can be done more efficient):

# ktulil
> ktutil: read_kt /etc/krb5.keytab
> ktutil: read_kt /tmp/foton.keytab
> ktutil: write_kt /etc/krb5.keytab1
> ktutil: quit
# mv /etc/krb5.keytab1 /etc/krb5.keytab
# rm /tmp/foton.keytab

In /etc/ssh/sshd_config you need the settings:

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

In Ubuntu installing openssh-server and Kerberos should be enough to have the basics.

And that … should be it. I’m testing this setup on another client to see if it really works and I have covered everything.