We 've got a (Debian Squeeze, Heimdal) Kerberos server, used when logging in, and homedirs on an NFS(4) server, wich is using Kerberos already. We want to use Kerberos credentials to authenticate when ssh'ing (OpenSSH, Ubuntu Lucid) from one host to another within our network.
Using SSH keys doesn't cut it here. Since the homedirs on FNS4 are mounted with the root-squash option, the SSH daemon cannot read the authorized_keys file, and will be unable to determine whether access should be granted. And even if one does succeed to ssh using keys, the session will still be lacking the necessary Kerberos keys to read files in $HOME.
Using Kerberos credentials to log in through SSH solves all this.
Procedure 13. On the SSH Server
Configuring SSH
The following settings are useful in /etc/ssh/sshd_config
:
GSSAPIAuthentication yes # To avoid a syslog spammer in Lucid GSSAPICleanupCredentials no GSSAPIKeyExchange yes # Only for renamed hosts GSSAPIStrictAcceptorCheck no
Then the service needs to be restarted, of course:
sudo service ssh restart
Using host keys
The SSH server needs Kerberos keys in /etc/krb5.keytab
of the form: host/$(hostname -f)@REALM
:
# add key to database
kadmin -p apprentice/admin add -r host/sshserver.domain.com@DOMAIN.COM
# store key in separate keytab
sudo kadmin -p apprentice/admin ext_keytab -k /etc/krb5.keytab.host host/sshserver.domain.com@DOMAIN.COM
# merge keytabs
sudo ktutil copy /etc/krb5.keytab.host /etc/krb5.keytab && rm /etc/krb5.keytab.host
Procedure 14. On the SSH Client
SSH using Kerberos credentials
ssh -K -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes -o GSSAPIKeyExchange=yes -o GSSAPITrustDNS=no -o PasswordAuthentication=no -o PubkeyAuthentication=no apprentice@sshserver.domain.com
Or, rather simpler:
ssh -K apprentice@sshserver.com