Tuesday, 28 February 2012

SSH Single Sign On for CentOS 6.2 or RHEL 6.0 using a Windows 2008 AD domain

In one of my previous posts I discussed how to join a CentOS 6.2 server to a Windows 2008 AD domain. There was one thing that wasn't working and that really, and I mean, REALLY annoyed me and this was: single sign on, i.e. using SSH to login to another server in the domain without being prompted for your password again.

After a lot of head banging, cursing and wondering why oh why had I decided to embark in such a doomed enterprise, I managed to get it working. I assume that you have followed my previous post on how to join a CentOS 6 (RHEL 6 works too) and that you have two linux machines that have joined the domain. A second machine is only needed for testing purposes, you could use putty instead. I needed the second machine for other purposes, so that is the route I chose. I have also tested it with putty and it does work as well.

Here is the list of steps needed:
  1. From the Windows domain controller run the following command, which will create spns and upns. Note that you will need to run it as Administrator:
    ktpass -princ host/adtest.my.org@MY.ORG -mapuser MY\adtest$  -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
  2. Copy adtest.keytab to your linux box, I simply mounted the c drive of the DC on the linux box, but this might not be available to you.
  3. If your server doesn't have a keytab file (/etc/krb5.keytab), then you can just move adtest.keytab to /etc/krb5.keytab otherwise you will need to merge it, which you can do with the ktutil tool, see this link for instructions.
  4. [Optional] Limit encryption to RC4-HMAC, by editing the kerberos configuration file /etc/krb5.conf and adding the following to the [libdefaults] directive:
  5. default_tkt_enctypes=rc4-hmac
    default_tgs_enctypes=rc4-hmac
    permitted_enctypes =rc4-hmac
  6. Restart the OpenSSH daemon:
    service sshd restart
  7. Configure the OpensSSH client. This will limit SSO to hosts in the domain:
  8. Host *.my.org
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
  9. Repeat steps 1 to 6 for the second server if needed.
  10. Login to first server with a domain account that has linux attributes set.
  11. Ensure that a Kerberos ticket has been issued: 
  12. klist
    Ticket cache: FILE:/tmp/krb5cc_10000_TjT7rk
    Default principal: linuxuser@MY.ORG

    Valid starting     Expires            Service principal
    02/28/12 17:41:06  02/29/12 03:39:31  krbtgt/MY.ORG@MY.ORG
            renew until 02/29/12 03:41:06
  13. Open secure shell on second server, which will log you without a prompt for credentials
    ssh adtest5.my.org
It is very important that name resolution is working correctly as you could get issues if it doesn't work properly, thus an up to date DNS server is quite useful. If you don't have a DNS server make sure that your hosts files are up to date with all the server names involved.

If you hit any problems, the simplest way to trouble shoot is to open a debug ssh daemon, which you can do like this (you can add a couple more ds for extra debug info but I think debug1 is all you need):
/usr/sbin/sshd -p 31415 -d
You'll need to allow traffic on port 31415 or the port you choose, which you can easily do by stopping iptables. Clearly this should only be done in servers that are not internet facing. If the server is internet facing then just open port 31415, e.g:
iptables -I INPUT -p tcp --dport 31415 -j ACCEPT
You can connect to this server with:
ssh servername -p 31415 -v
This should tell you what the problem is, e.g:
debug1: Unspecified GSS failure.  Minor code may provide more information
Key table entry not found
This was actually caused by a name resolution problem.

No comments:

Post a Comment