Recent openssh has GSSAPI support build in. GSSAPI is a library that makes authentication with kerberos 5 easy. So first we have to enable GSSAPI in the sshd server and the ssh client. Go and edit on all machines the files
The Kerberos* options are for Kerberos 4 which we don't want to use. Do not enable GSSAPIEnableMITMAttack if you don't know waht this means.
In the file /etc/ssh/ssh_config edit:
Next we have to create service principals for both hosts. Log in to yout kerboeros admin server and add principals for both (hostnames for ssh communication are here dopey and grumpy):
Authenticating as principal root/admin@REDFLO.DE with password.
kadmin.local: addprinc -randkey host/dopey.redflo.de@REDFLO.DE
WARNING: no policy specified for host/dopey.redflo.de@REDFLO.DE; defaulting to no policy
Principal "host/dopey.redflo.de@REDFLO.DE" created.
kadmin.local: addprinc -randkey host/grumpy.redflo.de@REDFLO.DE
WARNING: no policy specified for host/grumpy.redflo.de@REDFLO.DE; defaulting to no policy
Principal "host/grumpy.redflo.de@REDFLO.DE" created.
Now we export the principals in ketab files. If the export is done on the target host then we don't need a -k:
kadmin.local: ktadd host/dopey.redflo.de@REDFLO.DE
Entry for principal host/dopey.redflo.de@REDFLO.DE with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dopey.redflo.de@REDFLO.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
If the export is done on the kerberos server, then specify another filename and copy it over to the destination host:
kadmin.local: ktadd -k /etc/krb5.keytab.grumpy host/grumpy.redflo.de@REDFLO.DE
Entry for principal host/grumpy.redflo.de@REDFLO.DE with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.grumpy.
Entry for principal host/grumpy.redflo.de@REDFLO.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.grumpy.
# scp /etc/krb5.keytab.grumpy grumpy:/etc/krb5.keytab
Now you should be able to login from dopey to grumpy or vice versa if you have a valid ticket (check with klist, init with kinit) without typing a password. Unfortunately the user has to exist on both machines. We will overcome this limit with LDAP later.
If you have trouble try to login with "ssh -v" to see what ssh does. You can also enable logging in your kerberos server to see if ssh(d) asks your kerberos. Another possibility is to run the sshd server in debug mode from the command line. At the target host stop your ssh server and then invoke:
one problem i encountered here was:
debug1: Unspecified GSS failure. Minor code may provide more information
No principal in keytab matches desired name
The error was, that the hostname was not properly configured in the /etc/hosts file. Always add a FQDN there too!