Kerberizing sshd


Recent openssh has GSSAPI support build in. GSSAPI is a library that makes authentication with kerberos 5 easy. So first we have to enable GSSAPI in the sshd server and the ssh client. Go and edit on all machines the files
/etc/ssh/sshd_config
...
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
...

The Kerberos* options are for Kerberos 4 which we don't want to use. Do not enable GSSAPIEnableMITMAttack if you don't know waht this means.

In the file /etc/ssh/ssh_config edit:

...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
...

Next we have to create service principals for both hosts. Log in to yout kerboeros admin server and add principals for both (hostnames for ssh communication are here dopey and grumpy):
# kadmin.local
Authenticating as principal root/admin@REDFLO.DE with password.

kadmin.local: addprinc -randkey host/dopey.redflo.de@REDFLO.DE
WARNING: no policy specified for host/dopey.redflo.de@REDFLO.DE; defaulting to no policy
Principal "host/dopey.redflo.de@REDFLO.DE" created.

kadmin.local: addprinc -randkey host/grumpy.redflo.de@REDFLO.DE
WARNING: no policy specified for host/grumpy.redflo.de@REDFLO.DE; defaulting to no policy
Principal "host/grumpy.redflo.de@REDFLO.DE" created.

Now we export the principals in ketab files. If the export is done on the target host then we don't need a -k:

kadmin.local: ktadd host/dopey.redflo.de@REDFLO.DE
Entry for principal host/dopey.redflo.de@REDFLO.DE with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dopey.redflo.de@REDFLO.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

If the export is done on the kerberos server, then specify another filename and copy it over to the destination host:
kadmin.local: ktadd -k /etc/krb5.keytab.grumpy host/grumpy.redflo.de@REDFLO.DE
Entry for principal host/grumpy.redflo.de@REDFLO.DE with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.grumpy.
Entry for principal host/grumpy.redflo.de@REDFLO.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.grumpy.

kadmin.local: quit

# scp /etc/krb5.keytab.grumpy grumpy:/etc/krb5.keytab

Now you should be able to login from dopey to grumpy or vice versa if you have a valid ticket (check with klist, init with kinit) without typing a password. Unfortunately the user has to exist on both machines. We will overcome this limit with LDAP later.

Troublehooting

If you have trouble try to login with "ssh -v" to see what ssh does. You can also enable logging in your kerberos server to see if ssh(d) asks your kerberos. Another possibility is to run the sshd server in debug mode from the command line. At the target host stop your ssh server and then invoke:

/usr/sbin/sshd -ddddD

one problem i encountered here was:

debug1: Unspecified GSS failure. Minor code may provide more information
No principal in keytab matches desired name

The error was, that the hostname was not properly configured in the /etc/hosts file. Always add a FQDN there too!