At this point, most of the infrastructure is in place. Now I could tie some other services together with this infrastructure. For my servers (not the kerberos KDC and LDAP directory), I’ve configured kerberized SSH. It’s a good starting point to see the benefits of single sign-on.
To install the SSH server on a linux machine, the package to install is
sudo apt-get install openssh-server
GSSAPI authentication will allow us to authenticate to the server with our Kerberos tickets. There is a good white paper provided by ViSolve. The Ubuntu website also provides documentation for kerberized SSH and SSH in general here, here, and here.
Configuring kerberized SSH first requires some modifications to the configuration file to enable GSSAPI authentications.
# GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes
I’ve configured the SSH daemon to enable GSSAPI authentication with the first keyword, and the second tell SSH to cleanup the kerberos tickets on logout.
In addition, I’ve set some other options for my specific host.
# boost key size to 2048 'ServerKeyBits 1024' ServerKeyBits 2048 # Never permit root to login 'PermitRootLogin without-password' PermitRootLogin no # Deny admin to connect DenyUsers admin AllowUsers DenyGroups AllowGroups # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
This increases the key size, denies root login, and disables password authentication. Also, I’ve denied the local account login (admin) through ssh. This SSH server will allow me to login with either public-key authentication or with my kerberos tickets. This lets me use my kerberos tickets if I’m on my local network, and with the public key if I’m outside of it.
Once the SSH daemon has been configured, the proper service principal needs to be added to the Kerberos database, and the keytab installed on the host machine. The principal that the SSH server looks for is the “host” principal. To install the keytab on the server, I bring up
kadmin on the host machine so that I can write straight to the keytab.
kadmin kadmin> addprinc -randkey host/cerf.internal.example.com kadmin> ktadd -k /etc/krb5.keytab host/cerf.internal.example.com
This will add the service principal with a random key to the database, and then dump the principal to the keytab. SSH looks in the standard
I can now connect to my server either using public key authentication:
ssh -i <private-key-file> email@example.com
Or using my Kerberos tickets (Forward the credentials to the server)
ssh -K firstname.lastname@example.org
(or without forwarding kerberos tickets)
ssh -k email@example.com
If I want to automatically support kerberos authentication through the client without specifying on the command line, the keyword “
GSSAPIAuthentication” needs to be enabled in the client configuration file. See the man page. This option is enabled by default on Ubuntu machines, but not for OS X ssh clients.