Using OpenSSH with Kerberos
Some initial setup is required to use OpenSSH with Kerberos.
The following steps provide information on the initial setup that is required in order to use OpenSSH with Kerberos:
- On your OpenSSH clients and servers, the /etc/krb5.conf file must exist. This file tells Kerberos which KDC to use, how
long of a lifetime to give each ticket, and so on. The following is
an example krb5.conf file:
[libdefaults] ticket_lifetime = 600 default_realm = OPENSSH.AUSTIN.XYZ.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] OPENSSH.AUSTIN.xyz.COM = { kdc = kerberos.austin.xyz.com:88 kdc = kerberos-1.austin.xyz.com:88 kdc = kerberos-2.austin.xyz.com:88 admin_server = kerberos.austin.xyz.com:749 default_domain = austin.xyz.com } [domain_realm] .austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM kdc.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
- Also, you must add the following Kerberos services to each client
machine's /etc/services file:
kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw krb5_prop 754/tcp # Kerberos slave # propagation
- If your KDC is using LDAP as the registry to store user information,
read LDAP authentication load module, and the Kerberos publications. Furthermore, make sure the
following actions are performed:
- KDC is running the LDAP client. You can start the LDAP client daemon with the secldapclntd command.
- LDAP server is running the slapd LDAP server daemon.
- On the OpenSSH server, edit the /etc/ssh/sshd_config file to contain the lines:
If UseDNS is set to Yes, the ssh server does a reverse host lookup to find the name of the connecting client. This is necessary when host-based authentication is used or when you want last login information to display host names rather than IP addresses.KerberosAuthentication yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UseDNS yes
Note: Some ssh sessions stall when performing reverse name lookups because the DNS servers are unreachable. If this happens, you can skip the DNS lookups by setting UseDNS tono
. If UseDNS is not explicitly set in the /etc/ssh/sshd_config file, the default value isUseDNS yes
. - On the SSH server, run the startsrc -g ssh command to start the ssh server daemon.
- On the SSH client machine, run the kinit command to gain initial credentials (a TGT). You can verify that you received a TGT by running the klist command. This shows all credentials belonging to you.
- Connect to the server by running the ssh username@servername command.
- If Kerberos is properly configured to authenticate the user, a prompt for a password will not display, and the user will be automatically logged into the SSH server.