[Network Administration]: Kerberized SSH

At this point, most of the infrastructure is in place. Now I could tie some other services together with this infrastructure. For my servers (not the kerberos KDC and LDAP directory), I’ve configured kerberized SSH. It’s a good starting point to see the benefits of single sign-on.
To install the SSH server on a linux machine, the package to install is openssh-server.

sudo apt-get install openssh-server

GSSAPI authentication will allow us to authenticate to the server with our Kerberos tickets. There is a good white paper provided by ViSolve. The Ubuntu website also provides documentation for kerberized SSH and SSH in general here, here, and here.
Configuring kerberized SSH first requires some modifications to the configuration file to enable GSSAPI authentications.

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

I’ve configured the SSH daemon to enable GSSAPI authentication with the first keyword, and the second tell SSH to cleanup the kerberos tickets on logout.
In addition, I’ve set some other options for my specific host.

# boost key size to 2048 'ServerKeyBits 1024'
ServerKeyBits 2048
# Never permit root to login 'PermitRootLogin without-password'
PermitRootLogin no
# Deny admin to connect
DenyUsers admin
AllowUsers
DenyGroups
AllowGroups
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

This increases the key size, denies root login, and disables password authentication. Also, I’ve denied the local account login (admin) through ssh. This SSH server will allow me to login with either public-key authentication or with my kerberos tickets. This lets me use my kerberos tickets if I’m on my local network, and with the public key if I’m outside of it.

Once the SSH daemon has been configured, the proper service principal needs to be added to the Kerberos database, and the keytab installed on the host machine. The principal that the SSH server looks for is the “host” principal. To install the keytab on the server, I bring up kadmin on the host machine so that I can write straight to the keytab.

kadmin
kadmin> addprinc -randkey host/cerf.internal.example.com
kadmin> ktadd -k /etc/krb5.keytab host/cerf.internal.example.com

This will add the service principal with a random key to the database, and then dump the principal to the keytab. SSH looks in the standard /etc/krb5.keytab location.

I can now connect to my server either using public key authentication:

ssh -i <private-key-file> user1@cerf.internal.example.com

Or using my Kerberos tickets (Forward the credentials to the server)

ssh -K user1@cerf.internal.foodclaw.net

(or without forwarding kerberos tickets)

ssh -k user1@cerf.internal.foodclaw.net

If I want to automatically support kerberos authentication through the client without specifying on the command line, the keyword “GSSAPIAuthentication” needs to be enabled in the client configuration file. See the man page. This option is enabled by default on Ubuntu machines, but not for OS X ssh clients.

Advertisements

One thought on “[Network Administration]: Kerberized SSH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s