Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2481: How to configure stock SSH for Kerberos

Authentication Service ,  

12 April,16 at 10:31 AM

Applies to: All versions of stock OpenSSH.


How does one configure stock SSH to work with Kerberos?


(Note: This is a high level procedure.)

Make sure that the stock OpenSSH running on the machine does indeed have support for Kerberos by running the following command:

#ldd /usr/sbin/sshd |egrep -i 'krb|kerberos'

If the command returns no output, then stock OpenSSH does not have the support.

If it does, proceed below to configure the ssh server and ssh client for GSSAPI:
  1. Navigate to the folder where sshd is located. Ensure the highlighted line exists.
    # ls -l sshd
    -rwxr-xr-x 1 root root 402320 Mar 31 2010 sshd
    [root@engcen5 sbin]# ldd sshd => /lib64/ (0x00002aca8b445000) => /lib64/ (0x00002aca8b64e000) => /lib64/ (0x00002aca8b859000) => /lib64/ (0x00002aca8ba5e000) => /lib64/ (0x00002aca8bc76000) => /usr/lib64/ (0x00002aca8be8e000) => /lib64/ (0x00002aca8c091000) => /lib64/ (0x00002aca8c3e2000) => /usr/lib64/ (0x00002aca8c5e5000) => /lib64/ (0x00002aca8c7fa000) => /lib64/ (0x00002aca8ca12000) => /lib64/ (0x00002aca8cc4a000) => /usr/lib64/ (0x00002aca8ce60000) => /usr/lib64/ (0x00002aca8d08e000) => /usr/lib64/ (0x00002aca8d323000) => /lib64/ (0x00002aca8d549000) => /usr/lib64/ (0x00002aca8d74b000) => /lib64/ (0x00002aca8da76000)
    /lib64/ (0x00002aca8b228000) => /lib64/ (0x00002aca8ddce000) => /usr/lib64/ (0x00002aca8e014000) => /lib64/ (0x00002aca8e21d000) => /usr/lib64/ (0x00002aca8e41f000) => /usr/lib64/ (0x00002aca8e63c000) => /usr/lib64/ (0x00002aca8e841000) => /usr/lib64/ (0x00002aca8ea44000) => /lib64/ (0x00002aca8ec7e000)
  2. If it is GSSAPI enabled, then the following parameters need to be enabled in sshd_conf:
    • GSSAPIAuthentication yes
    • GSSAPIKeyExchange yes (If supported by Stock OpenSSH)
    • GSSAPICleanupCredentials yes
  3. Restart the sshd server.
  4. Then edit ssh_conf:
    • GSSAPIAuthentication yes
    • GSSAPIKeyExchange yes
    • GSSAPIDelegateCredentials yes

To determine if SSHD is actually using Kerberos, put sshd into debug mode:

/usr/sbin/sshd –ddde

..and try to connect with Kerberos. If Kerberos is enabled, messages like below will be shown:

debug1: userauth-request for user dwirth@OCEAN.NET service ssh-connection method gssapi-keyex [preauth]