Friday, 17 June 2011

Use Kerberos to authenticate OpenSSH - RHEL6

In order to achieve this you'll need two machines. They can be VMs or actual physical boxes. Ideally, you want to set up Kerberos in conjunction with an LDAP Directory, Windows Active Directory will do just that and I plan on investigating how to get single sign-on working with a Windows AD domain, but in actual fact, you don't need an LDAP directory, you can just as easily use local users, but I'm getting ahead of myself.

In order to make my life easier, I have created a new zone in my DNS server, called, and I have added both the kdc server and the client to this zone. I then edited the /etc/resolv.conf file to point to my DNS server. This is actually not needed and you can use the /etc/hosts file instead, just make sure that you have entries for both the kdcserver and the client on both the kdcserver and the client. Also make sure that the entries are of the form:
ipaddress fqdn hostname
In my case the kdc server is called and the client, so bear that in mind, when running through the instructions.

Logged in as root on run:
  1. yum install krb5-server -y  -- To install the KDC
  2. kdb5_util create -s -- To create the KDC database.
  3. edit /var/kerberos/krb5kdc/kadm5.acl and change the Realm to DOMAIN.COM -- To enable administration of the database.
  4. edit /etc/krb5.conf and change references to to Note that you should respect capitalization, e.g. EXAMPLE.COM should be changed to DOMAIN.COM and should be changed to -- This is the client configuration.
  5. kadmin.local -q "addprinc root/admin" -- add an administrator to kdc.
  6. service krb5kdc start -- self explanatory.
  7. service kadmin start -- self explanatory.
  8. kadmin.local -q "addprinc -randkey host/" -- add kdc principal to kdc.
  9. kadmin.local -q "addprinc -randkey host/" -- add client principal to kdc.
  10. ktutil. While on ktutil shell: ktadd -k /etc/krb5.keytab host/ -- add kdc principal to keytab file.
  11. Add a principal that corresponds to a user account. kadmin.local -q "addprinc crap" -- add a user.
  12. Ensure that  the openSSH daemon will accept GSSAPI as an authentication method. Make sure that the following lines are not commented out. -- Configure the openSSH daemon.
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
  13. service sshd restart --Restart the openSSH daemon.
If you are not using an LDAP directory for user accounts, make sure that the user crap exists in both server and client.

Logged on as root in, ensure that the date and time are the same as on and run:
  1. ktutil. While on ktutil shell: ktadd -k /etc/krb5.keytab host/
  2. Add the following lines to the ssh client config file (etc/ssh/ssh_config).
    Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
  3. Ensure that the /etc/krb5.conf file is identical to the one in
  4. su crap
  5. kinit -- Get a kerberos ticket.
  6. ssh yetanother
This will log you in to as the user crap.

In general, it makes sense to use an LDAP directory together with Kerberos authentication as otherwise you will need to have a user account in each server. So that I would have needed to add a user account called crap to This is not a very onerous task, but if you have to do it for many servers it gets boring quickly.

To add more servers simple create a principal for the server (kadmin -q "addprinc -randkey host/"), then add that principal to the krb5.keytab of the server ( by running: ktutil. While on ktutil shell: ktadd -k /etc/krb5.keytab host/ Make sure that the kerberos configuration file /etc/krb5.conf is correct and finally make sure that the openSSH client and daemon are configured correctly, see above.

No comments:

Post a Comment