This article is about integrating OpenSSH in a kerberos environment. Allthough OpenSSH can provide passwordless logins (through Public/Private keys), it is not a true SSO set-up. This article makes use of Kerberos TGT service to implement a true SSO configuration for OpenSSH.
First off, you’ll need to make sure that the OpenSSH server’s Kerberos configuration (in
/etc/krb5.conf) is correct and works, and that the server’s keytab (typically
/etc/krb5.keytab) contains an entry for
host/[email protected] (case-sensitive). I won’t go into details on how this is done again; instead, I’ll refer you to any one of the recent Kerberos-related articles (like this one, this one, or even this one). Just be sure that you can issue a
kinit -k host/[email protected] and get back a Kerberos ticket without having specify a password. (This tells you that the keytab is working as expected.)
Configuring the SSH Server
Configure `/etc/ssh/sshd_config with the following:
KerberosAuthentication yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UseDNS yes UsePAM no
UseDNS is set to
Yes, the ssh server does a reverse host lookup to find the name of the connecting client. This is necessary when host-based authentication is used or when you want last login information to display host names rather than IP addresses. Note: Some ssh sessions stall when performing reverse name lookups because the DNS servers are unreachable. If this happens, you can skip the DNS lookups by setting
UseDNS is not explicitly set in the
/etc/ssh/sshd_config file, the default value is
Configuring the SSH Client
/etc/ssh/ssh_config, and change the file accordingly. For example, we want to enable Kerberos mechanism for all Hosts:
Host * .... GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
or to enable to specific domains:
Host *.example.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
This limits GSSAPI authentication to only those hosts in the
example.com domain. Modify the domain to be the appropriate domain for your network.
Testing the Configuration
Obtain a valid Kerberos ticket
kinit username from the command line. Once you have a ticket, you should be able to simply
ssh fqdn.of.server and you will get logged in, without getting prompted for a password. If you get prompted for a password, go back and double-check your keytab, your SSH daemon configuration, and the time configuration on your OpenSSH server. Because Kerberos requires time synchronization, differences of greater than 5 minutes will cause the authentication to fail.