[SOLVED] Kerberos SSH SSO

Support for security such as Firewalls and securing linux

[SOLVED] Kerberos SSH SSO

Postby robhicks » 2011/12/01 20:55:19

I'm trying to get Keberos set up on CentOS 5 and 6 servers to allow users to ssh into machines without providing a password for each machine.

So far, I have set Keberos up and have added/configured hosts to allow users to log into each server using Kerberos credentials. That all works.

I have also modified sshd_config and ssh_config to enable GSSAPI authentication, and have added a keytab file to each of the servers that includes a listing of all hosts. But no matter what I do, the user stills gets asked for a password when authenticating. In looking at the kdc log I do not see any errors.

Anyway, I'm looking for a guide or something that shows all of the steps to get it to work. Logging on the ssh client shows:

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to admin [10.0.0.81] port 22.
debug1: Connection established.
debug1: identity file /home/rob/.ssh/identity type -1
debug1: identity file /home/rob/.ssh/id_rsa type 1
debug1: identity file /home/rob/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'admin' is known and matches the RSA host key.
debug1: Found key in /home/rob/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/rob/.ssh/identity
debug1: Offering public key: /home/rob/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/rob/.ssh/id_dsa
debug1: Next authentication method: password
rob@admin's password:

Any help is greatly appeciated.

rob
robhicks
 
Posts: 2
Joined: 2011/12/01 20:28:34

Re: Kerberos SSH SSO

Postby KermitDaFragger » 2011/12/06 22:57:03

Can you post your sshd_config? Also run sshd attached to the console with debugging on (and attempt a kerberos logon) and posts the results. All I can see now is that the server does not offer GSSAPI.
KermitDaFragger
 
Posts: 195
Joined: 2009/09/11 19:23:05
Location: the Netherlands

[SOLVED] Kerberos SSH SSO

Postby pschaff » 2011/12/07 15:50:24

[OT] Welcome back Kermit. Glad to see you hanging out here again. :-)
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: Kerberos SSH SSO

Postby KermitDaFragger » 2011/12/07 23:40:09

[OT] @pschaff Thanks, it's good to be back :-)

[ON] @robhicks I case your having trouble debugging the server side; You can run sshd in debug by stopping sshd with '/etc/init.d/sshd stop' and manually starting it with '/usr/sbin/sshd -f /etc/ssh/sshd_config -D -d'.
KermitDaFragger
 
Posts: 195
Joined: 2009/09/11 19:23:05
Location: the Netherlands

Re: Kerberos SSH SSO

Postby Charles89 » 2011/12/23 06:59:33

Why does enterprise-wide authentication require so much work? For many businesses, it is because they use different Identity Management Systems for different operating systems: Windows users might authenticate through Active Directory, Linux and Unix users might authenticate through NIS, and Mac OS X users might authenticate through an ad hoc Kerberos key distribution center. Every time a user joins or leaves your company, you have to update each of these identity management systems separately, a time-consuming process that can leave security holes.

The complexity of these identity management systems and their lack of central management increases the likelihood that something will go wrong. A user account with access to protected data, for example, might not get deprovisioned from one of the systems when the user leaves the company.

Likewise's ability to join non-Windows computers to an Active Directory domain immediately yields the benefit of making Active Directory's authentication process available to Unix, Linux, and Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, Likewise can validate Unix and Linux usernames and passwords with the Kerberos 5 network authentication protocol. Kerberos lets users and computers communicating over an insecure network prove their identity to one another in a secure manner.
Charles89
 
Posts: 3
Joined: 2011/12/22 11:55:03

Re: Kerberos SSH SSO

Postby pschaff » 2011/12/23 17:00:28

Charles89 wrote:
Why does enterprise-wide authentication require so much work?...

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

After reading those links you should realize why you should not hijack threads as you have done. Please start a new Topic for your issue to get the attention you need, providing a link to this one if required for context.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: Kerberos SSH SSO

Postby juanino » 2012/03/22 05:41:03

Hi Rob

I am trying to do exactly what you said you had. Can you please tell me how did you make it happen?
I set up the KDC server and the client, but I do not know how to make SSH to recognise the kerberos users.
I have "GSSAPIAuthentication yes" in both server and client, yet, I can't log in using ssh.
I REALLY appreciate if you can help me... or anyone else
juanino
 
Posts: 1
Joined: 2012/03/22 05:36:19

Re: Kerberos SSH SSO

Postby robhicks » 2012/04/13 19:44:26

I did get this to work and then never came back to say how. My bad.

As Kerberos instructions state, timing is everything. Make sure that your network time is synced on the kdc and all hosts.

Also make sure that dns is set up correctly. Both forward and reverse names/ip addresses need to resolve correctly.

Then add you hosts. After that, try to login using an existing user. Make sure the user has a current ticket. Make sure that your sshd is configured correctly. This is what I'm using:


Code: Select all
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRoot no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server


If you need to get more debugging info, change LogLevel INFO to LogLevel DEBUG. Logging will go to /var/log/secure.

Then try to login using ssh -v name@host. Using the -v option will increase verbosity.

The problem I was having was network and dns related. Once I got dns and ntp set up right, SSO just worked.

Rob
robhicks
 
Posts: 2
Joined: 2011/12/01 20:28:34

Re: [SOLVED] Kerberos SSH SSO

Postby AlanBartlett » 2012/04/13 20:48:33

Thank you for reporting back with details of your solution.

On your behalf (and for posterity) this thread is now marked [SOLVED].
User avatar
AlanBartlett
Forum Moderator
 
Posts: 8975
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk


Return to CentOS 5 - Security Support

Who is online

Users browsing this forum: No registered users and 2 guests