Using OpenSSH with Kerberos

Edit online

Some initial setup is required to use OpenSSH with Kerberos.

The following steps provide information on the initial setup that is required in order to use OpenSSH with Kerberos:

  1. On your OpenSSH clients and servers, the /etc/krb5.conf file must exist. This file tells Kerberos which KDC to use, how long of a lifetime to give each ticket, and so on. The following is an example krb5.conf file: 
    
[libdefaults]
ticket_lifetime = 600
default_realm = OPENSSH.AUSTIN.XYZ.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 
[realms]
OPENSSH.AUSTIN.xyz.COM = {
    kdc = kerberos.austin.xyz.com:88
    kdc = kerberos-1.austin.xyz.com:88
    kdc = kerberos-2.austin.xyz.com:88
    admin_server = kerberos.austin.xyz.com:749
    default_domain = austin.xyz.com
}
 
[domain_realm]
    .austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
    kdc.austin.xyz.com = OPENSSH.AUSTIN.XYZ.COM
  2. Also, you must add the following Kerberos services to each client machine's /etc/services file: 
    kerberos      88/udp    kdc    # Kerberos V5 KDC
kerberos      88/tcp    kdc    # Kerberos V5 KDC
kerberos-adm  749/tcp          # Kerberos 5 admin/changepw
kerberos-adm  749/udp          # Kerberos 5 admin/changepw
krb5_prop     754/tcp          # Kerberos slave 
                               #  propagation
  3. If your KDC is using LDAP as the registry to store user information, read LDAP authentication load module, and the Kerberos publications. Furthermore, make sure the following actions are performed:
    • KDC is running the LDAP client. You can start the LDAP client daemon with the secldapclntd command.
    • LDAP server is running the slapd LDAP server daemon.
  4. On the OpenSSH server, edit the /etc/ssh/sshd_config file to contain the lines: 
    KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes
    If UseDNS is set to Yes, the ssh server does a reverse host lookup to find the name of the connecting client. This is necessary when host-based authentication is used or when you want last login information to display host names rather than IP addresses.
    Note: Some ssh sessions stall when performing reverse name lookups because the DNS servers are unreachable. If this happens, you can skip the DNS lookups by setting UseDNS to no. If UseDNS is not explicitly set in the /etc/ssh/sshd_config file, the default value is UseDNS yes.
  5. On the SSH server, run the startsrc -g ssh command to start the ssh server daemon.
  6. On the SSH client machine, run the kinit command to gain initial credentials (a TGT). You can verify that you received a TGT by running the klist command. This shows all credentials belonging to you.
  7. Connect to the server by running the ssh username@servername command.
  8. If Kerberos is properly configured to authenticate the user, a prompt for a password will not display, and the user will be automatically logged into the SSH server.