KB-2481: How to configure stock SSH for Kerberos

Home >

KB-2481: How to configure stock SSH for Kerberos

Product:

Centrify DirectControl ,

Published:

12 April,16 at 10:31 AM

Rating:

Applies to: All versions of stock OpenSSH.

Question:

How does one configure stock SSH to work with Kerberos?

Answer:

(Note: This is a high level procedure.)

Make sure that the stock OpenSSH running on the machine does indeed have support for Kerberos by running the following command:

#ldd /usr/sbin/sshd |egrep -i 'krb|kerberos'

If the command returns no output, then stock OpenSSH does not have the support.

If it does, proceed below to configure the ssh server and ssh client for GSSAPI:

Navigate to the folder where sshd is located. Ensure the highlighted line exists.

# ls -l sshd
-rwxr-xr-x 1 root root 402320 Mar 31 2010 sshd
[root@engcen5 sbin]# ldd sshd
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002aca8b445000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002aca8b64e000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aca8b859000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aca8ba5e000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aca8bc76000)
libfipscheck.so.1 => /usr/lib64/libfipscheck.so.1 (0x00002aca8be8e000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aca8c091000)
libutil.so.1 => /lib64/libutil.so.1 (0x00002aca8c3e2000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002aca8c5e5000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002aca8c7fa000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aca8ca12000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aca8cc4a000)

libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aca8ce60000)

libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aca8d08e000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aca8d323000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aca8d549000)
libnss3.so => /usr/lib64/libnss3.so (0x00002aca8d74b000)
libc.so.6 => /lib64/libc.so.6 (0x00002aca8da76000)
/lib64/ld-linux-x86-64.so.2 (0x00002aca8b228000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aca8ddce000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aca8e014000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aca8e21d000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002aca8e41f000)
libplc4.so => /usr/lib64/libplc4.so (0x00002aca8e63c000)
libplds4.so => /usr/lib64/libplds4.so (0x00002aca8e841000)
libnspr4.so => /usr/lib64/libnspr4.so (0x00002aca8ea44000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aca8ec7e000)

If it is GSSAPI enabled, then the following parameters need to be enabled in sshd_conf:
- GSSAPIAuthentication yes
- GSSAPIKeyExchange yes (If supported by Stock OpenSSH)
- GSSAPICleanupCredentials yes
Restart the sshd server.
Then edit ssh_conf:
- GSSAPIAuthentication yes
- GSSAPIKeyExchange yes
- GSSAPIDelegateCredentials yes

To determine if SSHD is actually using Kerberos, put sshd into debug mode:

/usr/sbin/sshd –ddde

..and try to connect with Kerberos. If Kerberos is enabled, messages like below will be shown:

debug1: userauth-request for user dwirth@OCEAN.NET service ssh-connection method gssapi-keyex [preauth]

KB-2481: How to configure stock SSH for Kerberos

PLATFORM

COMPANY

SERVICES

SUPPORT

COMMUNITIES

DEVELOPERS

RESOURCES

Related Articles

KB-2481: How to configure stock SSH for Kerberos

Related Articles

PLATFORM

COMPANY

SERVICES

SUPPORT

COMMUNITIES

DEVELOPERS

RESOURCES