[SOLVED] Kerberos SSH SSO

Support for security such as Firewalls and securing linux
Post Reply
robhicks
Posts: 2
Joined: 2011/12/01 20:28:34

[SOLVED] Kerberos SSH SSO

Post by robhicks » 2011/12/01 20:55:19

I'm trying to get Keberos set up on CentOS 5 and 6 servers to allow users to ssh into machines without providing a password for each machine.

So far, I have set Keberos up and have added/configured hosts to allow users to log into each server using Kerberos credentials. That all works.

I have also modified sshd_config and ssh_config to enable GSSAPI authentication, and have added a keytab file to each of the servers that includes a listing of all hosts. But no matter what I do, the user stills gets asked for a password when authenticating. In looking at the kdc log I do not see any errors.

Anyway, I'm looking for a guide or something that shows all of the steps to get it to work. Logging on the ssh client shows:

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to admin [10.0.0.81] port 22.
debug1: Connection established.
debug1: identity file /home/rob/.ssh/identity type -1
debug1: identity file /home/rob/.ssh/id_rsa type 1
debug1: identity file /home/rob/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
Any help is greatly appeciated.

rob

KermitDaFragger
Posts: 195
Joined: 2009/09/11 19:23:05
Location: the Netherlands

Re: Kerberos SSH SSO

Post by KermitDaFragger » 2011/12/06 22:57:03

Can you post your sshd_config? Also run sshd attached to the console with debugging on (and attempt a kerberos logon) and posts the results. All I can see now is that the server does not offer GSSAPI.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] Kerberos SSH SSO

Post by pschaff » 2011/12/07 15:50:24

[OT] Welcome back [b]Kermit[/b]. Glad to [i]see[/i] you hanging out here again. :-)

KermitDaFragger
Posts: 195
Joined: 2009/09/11 19:23:05
Location: the Netherlands

Re: Kerberos SSH SSO

Post by KermitDaFragger » 2011/12/07 23:40:09

[OT] @pschaff Thanks, it's good to be back :-)

[ON] @robhicks I case your having trouble debugging the server side; You can run sshd in debug by stopping sshd with '/etc/init.d/sshd stop' and manually starting it with '/usr/sbin/sshd -f /etc/ssh/sshd_config -D -d'.

Charles89
Posts: 3
Joined: 2011/12/22 11:55:03

Re: Kerberos SSH SSO

Post by Charles89 » 2011/12/23 06:59:33

Why does enterprise-wide authentication require so much work? For many businesses, it is because they use different Identity Management Systems for different operating systems: Windows users might authenticate through Active Directory, Linux and Unix users might authenticate through NIS, and Mac OS X users might authenticate through an ad hoc Kerberos key distribution center. Every time a user joins or leaves your company, you have to update each of these identity management systems separately, a time-consuming process that can leave security holes.

The complexity of these identity management systems and their lack of central management increases the likelihood that something will go wrong. A user account with access to protected data, for example, might not get deprovisioned from one of the systems when the user leaves the company.

Likewise's ability to join non-Windows computers to an Active Directory domain immediately yields the benefit of making Active Directory's authentication process available to Unix, Linux, and Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, Likewise can validate Unix and Linux usernames and passwords with the Kerberos 5 network authentication protocol. Kerberos lets users and computers communicating over an insecure network prove their identity to one another in a secure manner.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Kerberos SSH SSO

Post by pschaff » 2011/12/23 17:00:28

[quote]
Charles89 wrote:
Why does enterprise-wide authentication require so much work?...[/quote]
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

After reading those links you should realize why you should not hijack threads as you have done. Please start a new Topic for your issue to get the attention you need, providing a link to this one if required for context.

juanino
Posts: 1
Joined: 2012/03/22 05:36:19

Re: Kerberos SSH SSO

Post by juanino » 2012/03/22 05:41:03

Hi Rob

I am trying to do exactly what you said you had. Can you please tell me how did you make it happen?
I set up the KDC server and the client, but I do not know how to make SSH to recognise the kerberos users.
I have "GSSAPIAuthentication yes" in both server and client, yet, I can't log in using ssh.
I REALLY appreciate if you can help me... or anyone else

robhicks
Posts: 2
Joined: 2011/12/01 20:28:34

Re: Kerberos SSH SSO

Post by robhicks » 2012/04/13 19:44:26

I did get this to work and then never came back to say how. My bad.

As Kerberos instructions state, timing is everything. Make sure that your network time is synced on the kdc and all hosts.

Also make sure that dns is set up correctly. Both forward and reverse names/ip addresses need to resolve correctly.

Then add you hosts. After that, try to login using an existing user. Make sure the user has a current ticket. Make sure that your sshd is configured correctly. This is what I'm using:


[code]
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRoot no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
[/code]

If you need to get more debugging info, change LogLevel INFO to LogLevel DEBUG. Logging will go to /var/log/secure.

Then try to login using ssh -v name@host. Using the -v option will increase verbosity.

The problem I was having was network and dns related. Once I got dns and ntp set up right, SSO just worked.

Rob

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: [SOLVED] Kerberos SSH SSO

Post by AlanBartlett » 2012/04/13 20:48:33

Thank you for reporting back with details of your solution.

On your behalf (and for posterity) this thread is now marked [SOLVED].

Post Reply