Using SunSSH with Kerberos authentication
There's been some questions recently on how to configure
Solaris Secure Shell
with Kerberos
authentication. There were also some complains that the existing
documentation was not sufficient. Well, the reason is that SSH works with
Kerberos out of box through gssapi-keyex authentication
method, no configuration is needed on SSH side. It is the first auth method
used on client side and SSH server supports
it by default. So, the only thing that remains is to configure the Kerberos.
The setup has just 3 steps including the testing.
(a) configure the client...
Let's just see an example - let's have a client box without Kerberos support, existing KDC server and we want the client to join the realm that KDC is part of.
In /etc/krb5/krb5.conf, change strings
___default_realm___ to the existing realm, and change
___master_kdc___ to the address of the KDC server. The last thing
is to map domain name to the realm, so replace ___domainname___
with your domain. You can see the complete example
configuration.
It's also mandatory that DNS system is working on your client, Kerberos can't work without it.
(b) create a principal for your SSH server
You need to generate a secret key for remote services on KDC unless there is one already. This key must be then put into a keytab on your SSH server.
Note that the server must be already configured to be part of the realm you used for
client configuration above - if not then just do exactly the same what you did for the client.
To create a principal, follow the example below (bold is what I typed, comments are colored and in italic). So now, log in to your SSH
server - I'm using ssh-server.in.snake-oil.net in my example:
# # log in to kadmin service as an Kerberos administrator (the actual user name # depends on your configuration) # root# kadmin -p krbadmin/admin Authenticating as principal krbadmin/admin with password. Password for krbadmin/admin@SNAKE-OIL.NET: # # create a key for remote services for the host which is to be your SSH server # kadmin: addprinc -randkey host/ssh-server.in.snake-oil.net WARNING: no policy specified for host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET; defaulting to no policy Principal "host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET" created. # # copy the key from KDC to your SSH server's keytab # kadmin: ktadd host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. # # you are done now # kadmin: quit root# root# root# # # you can check that the keytab was updated # root# klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- # # possibly other keys # 3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET 3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET 3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET 3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET 3 host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET # # possibly other keys #
Please be careful that your encryption types are the same on both sides. The difference can happen for example if you have SUNWcry/SUNWcryr packages installed on the SSH server but not on KDC. The error message it then like this:
Principal "host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET" created. kadmin: ktadd host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET kadmin: Bad encryption type while changing host/ssh-server.in.snake-oil.net@SNAKE-OIL.NET's key
(c) ...and test it.
What then? As expected, just run kinit on the client you have
just configured, verify with klist that you got TGT, and run the
SSH client against a server supporting Kerberos authentication, which is
ssh-server.in.snake-oil.net in our example case. Run with
-vvv and you should see something like this:
... ... debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug2: Authenticating with GSS-API context from key exchange (w/ MIC) debug2: we sent a gssapi-keyex packet, wait for reply debug1: Authentication succeeded (gssapi-keyex) debug1: channel 0: new [client-session] ... ...
Docs
If you want to read some documentation, please check out documentation on SunSSH and you can also see Kerberos section, both at OpenSolaris.org.
Posted by Nico on June 28, 2007 at 05:35 PM CEST #
Posted by Jan on June 28, 2007 at 05:39 PM CEST #
Posted by Jan on June 28, 2007 at 05:57 PM CEST #
Posted by Nico on June 28, 2007 at 06:22 PM CEST #