Using SunSSH with Kerberos authentication

There's been some questions recently on how to configure Solaris Secure Shell with Kerberos authentication. There were also some complains that the existing documentation was not sufficient. Well, the reason is that SSH works with Kerberos out of box through gssapi-keyex authentication method, no configuration is needed on SSH side. It is the first auth method used on client side and SSH server supports it by default. So, the only thing that remains is to configure the Kerberos. The setup has just 3 steps including the testing.

(a) configure the client...

Let's just see an example - let's have a client box without Kerberos support, existing KDC server and we want the client to join the realm that KDC is part of.

In /etc/krb5/krb5.conf, change strings ___default_realm___ to the existing realm, and change ___master_kdc___ to the address of the KDC server. The last thing is to map domain name to the realm, so replace ___domainname___ with your domain. You can see the complete example configuration.

It's also mandatory that DNS system is working on your client, Kerberos can't work without it.

(b) create a principal for your SSH server

You need to generate a secret key for remote services on KDC unless there is one already. This key must be then put into a keytab on your SSH server.

Note that the server must be already configured to be part of the realm you used for client configuration above - if not then just do exactly the same what you did for the client. To create a principal, follow the example below (bold is what I typed, comments are colored and in italic). So now, log in to your SSH server - I'm using ssh-server.in.snake-oil.net in my example:

#
# log in to kadmin service as an Kerberos administrator (the actual user name
# depends on your configuration)
#
root# kadmin -p krbadmin/admin
Authenticating as principal krbadmin/admin with password.
Password for krbadmin/admin@SNAKE-OIL.NET: 
#
# create a key for remote services for the host which is to be your SSH server
#
kadmin:  addprinc -randkey host/ssh-server.in.snake-oil.net
WARNING: no policy specified for host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET; defaulting to no policy
Principal "host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET" created.
#
# copy the key from KDC to your SSH server's keytab
#
kadmin:  ktadd host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
#
# you are done now
#
kadmin:  quit

root#
root#
root#
#
# you can check that the keytab was updated
#
root# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
#
# possibly other keys
#
   3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
   3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
   3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
   3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
   3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
#
# possibly other keys
#

Please be careful that your encryption types are the same on both sides. The difference can happen for example if you have SUNWcry/SUNWcryr packages installed on the SSH server but not on KDC. The error message it then like this:

Principal "host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET" created.
kadmin:  ktadd host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET
kadmin: Bad encryption type while changing host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET's key

(c) ...and test it.

What then? As expected, just run kinit on the client you have just configured, verify with klist that you got TGT, and run the SSH client against a server supporting Kerberos authentication, which is ssh-server.in.snake-oil.net in our example case. Run with -vvv and you should see something like this:

...
...
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: start over, passed a different list
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug2: Authenticating with GSS-API context from key exchange (w/ MIC)
debug2: we sent a gssapi-keyex packet, wait for reply
debug1: Authentication succeeded (gssapi-keyex)
debug1: channel 0: new [client-session]
...
...

Docs

If you want to read some documentation, please check out documentation on SunSSH and you can also see Kerberos section, both at OpenSolaris.org.

Comments:

Yes, there's nothing to do as far as configuring ssh/sshd goes -- just configure Kerberos V, key your hosts, kinit (or login using pam_krb5), and you'redone. Perhaps the title of this entry should be "Configure Kerberos V if you want ssh/sshd to use it" :) :)

Posted by Nico on June 28, 2007 at 10:35 AM CEST #

well, yes. It wasn't exactly my idea to blog about it :-) I guess I could change the title...

Posted by Jan on June 28, 2007 at 10:39 AM CEST #

I did and I also did a few modifications in the first paragraph :)

Posted by Jan on June 28, 2007 at 10:57 AM CEST #

Thanks!

Posted by Nico on June 28, 2007 at 11:22 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today