Single sign-on with ssh (only unix) - Kerberos

This is a discussion on Single sign-on with ssh (only unix) - Kerberos ; Hi, I've been banging my head against kerberos for the last few days, and I just can't seem to get it working right. What I want to do is use kerberos as a central authentication database as well as for ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Single sign-on with ssh (only unix)

  1. Single sign-on with ssh (only unix)

    Hi,

    I've been banging my head against kerberos for the last few days, and
    I just can't seem to get it working right.

    What I want to do is use kerberos as a central authentication
    database as well as for a single sign on solution for SSH, for our
    system administrators to use.

    Ideally, I want to be able to have a single machine that all our
    admins can log into (either with kerberos credentials or ssh public
    key auth) and then they kinit on that machine once, then they can log
    into any of our servers transparently using kerberos.

    I've been trying to set this up on some test servers, and so far all
    I've managed to is is create a functional kerberos kdc (on Fedora
    Core). I have another FC machine that I configure with 'authconfig'
    to use kerberos - and it works - I can use my kerberos password to
    log into this machine. And on this machine, if I do a klist, I see it
    has a tgt.

    But, I can't ssh from that machine to itself or to another machine -
    ssh is not even looking at the tickets.

    Has anyone got a better step-by-step guide they can point me at?

    Do I need to create individual server principles? How do I do this?
    Do I create sshd/domain principles for ssh? How? How do I log in with
    kadmin on another machine? Where should I store keytabs? do I need to
    export host keytabs?

    The documentation is all very flimsy. ALL of the documentation that
    I've seen is basically a copy of the MIT stuff, which doesn't really
    explain any of this fully. For example the redhat documentation just
    tells you how to set up a client and a server, but doesn't tell you
    how to get kerberized sshd working, etc.

    Can anyone help?

    Regards,

    Nathan.

    --
    Nathan Ollerenshaw / Systems Engineer
    Systems Engineering
    ValueCommerce Co., Ltd.

    Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
    Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
    mailto:nathan@valuecommerce.co.jp

    "The man who carries a cat by the tail learns something
    that can be learned in no other way." - Mark Twain


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Single sign-on with ssh (only unix)

    Hi,

    Please, can someone help me? Every other kid on the block has
    Kerberos working but me. Its embarrassing. Even my mum has Kerberos
    working and when I ask her for help, she just laughs at me down the
    phone.

    I have 3 machines that I'm testing with.

    dns1.sys.intra: kdc
    monster.sys.intra: a client
    nuts.sys.intra: a client

    I want to be able to kinit on either monster or nuts and then ssh
    without password between the client machines. The OS on the clients
    is FC3 and the server is FC2.

    After installation, I had the following principles:

    K/M@VALUECOMMERCE.COM
    chrome@VALUECOMMERCE.COM
    kadmin/admin@VALUECOMMERCE.COM
    kadmin/changepw@VALUECOMMERCE.COM
    kadmin/history@VALUECOMMERCE.COM
    krbtgt/VALUECOMMERCE.COM@VALUECOMMERCE.COM


    At this point, pam authentication with kerberos works if I go into
    authconfig on the FC3 machinees and set the kerberos option to 'on'.
    All this does is create a (bad) krb5.conf file and enable the pam
    entries I think.

    All machines have a 'chrome' account, so when I ssh to monster or
    nuts with my kerberos password, it would work. Using my old password
    also works. Doing a klist on the machine I ssh to shows the tickets:

    Ticket cache: FILE:/tmp/krb5cc_5002
    Default principal: chrome@VALUECOMMERCE.COM

    Valid starting Expires Service principal
    06/02/05 17:36:09 06/03/05 17:36:09 krbtgt/
    VALUECOMMERCE.COM@VALUECOMMERCE.COM
    renew until 06/02/05 17:36:09

    But this ticket doesn't let me into the other machine. I assumed this
    was due to not having host keys and a bad sshd config, so I then
    installed host principles for the machines involved. First dns1:

    kadmin.local: ank -randkey host/dns1.sys.intra
    WARNING: no policy specified for host/
    dns1.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
    Principal "host/dns1.sys.intra@VALUECOMMERCE.COM" created.
    kadmin.local: ktadd host/dns1.sys.intra
    Entry for principal host/dns1.sys.intra with kvno 3, encryption type
    Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/
    krb5.keytab.
    Entry for principal host/dns1.sys.intra with kvno 3, encryption type
    ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
    Entry for principal host/dns1.sys.intra with kvno 3, encryption type
    DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
    Entry for principal host/dns1.sys.intra with kvno 3, encryption type
    DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.

    Then monster:

    kadmin.local: ank -randkey host/monster.sys.intra
    WARNING: no policy specified for host/
    monster.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
    Principal "host/monster.sys.intra@VALUECOMMERCE.COM" created.
    kadmin.local: ktadd
    kadmin.local: ktadd -k /root/monster.sys.intra.keytab host/
    monster.sys.intra
    Entry for principal host/monster.sys.intra with kvno 3, encryption
    type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
    monster.sys.intra.keytab.
    Entry for principal host/monster.sys.intra with kvno 3, encryption
    type ArcFour with HMAC/md5 added to keytab WRFILE:/root/
    monster.sys.intra.keytab.
    Entry for principal host/monster.sys.intra with kvno 3, encryption
    type DES with HMAC/sha1 added to keytab WRFILE:/root/
    monster.sys.intra.keytab.
    Entry for principal host/monster.sys.intra with kvno 3, encryption
    type DES cbc mode with RSA-MD5 added to keytab

    Then nuts:

    WRFILE:/root/monster.sys.intra.keytab.
    kadmin.local: ank -randkey host/nuts.sys.intra
    WARNING: no policy specified for host/
    nuts.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
    Principal "host/nuts.sys.intra@VALUECOMMERCE.COM" created.
    kadmin.local: ktadd -k /root/nuts.sys.intra.keytab
    Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -
    glob princ-exp] [...]
    kadmin.local: ktadd -k /root/nuts.sys.intra.keytab host/nuts.sys.intra
    Entry for principal host/nuts.sys.intra with kvno 3, encryption type
    Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
    nuts.sys.intra.keytab.
    Entry for principal host/nuts.sys.intra with kvno 3, encryption type
    ArcFour with HMAC/md5 added to keytab WRFILE:/root/
    nuts.sys.intra.keytab.
    Entry for principal host/nuts.sys.intra with kvno 3, encryption type
    DES with HMAC/sha1 added to keytab WRFILE:/root/nuts.sys.intra.keytab.
    Entry for principal host/nuts.sys.intra with kvno 3, encryption type
    DES cbc mode with RSA-MD5 added to keytab WRFILE:/root/
    nuts.sys.intra.keytab.

    I then scp'd the keytab for monster and nuts over to them and moved
    them to /etc/krb5.keytab.

    And it didn't work. I messed around, turning off GSSAPI, turning off
    KerberosAuthentication and having GSSAPI ... nothing worked.

    Do I need to create service keys? Can anyone tell me what the sshd
    server should be set as?

    Messing about with any of this doesn't have any affect at the moment:

    ChallengeResponseAuthentication yes
    KerberosAuthentication no
    KerberosOrLocalPasswd no
    KerberosTicketCleanup yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes

    I assume thats because it's using PAM and not the sshd' kerberos
    support.

    The Kerberos howtos that I've read go all the way through to setting
    up ktelnet etc but not ssh! I havn't been able to find a single piece
    of documentation on setting up sshd with kerberos tickets with
    forwarding etc. I must be blind.

    Can anyone please help? I'll owe you beer. In fact, if you're in/
    around San Jose in a week's time, I'll even BUY you REAL BEER, not
    this virtual stuff. Honest!

    Regards,

    Nathan.

    --
    Nathan Ollerenshaw / Systems Engineer
    Systems Engineering
    ValueCommerce Co., Ltd.

    Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
    Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
    mailto:nathan@valuecommerce.co.jp

    "I do not feel obliged to believe that the same God who has
    endowed us with sense, reason, and intellect has intended
    us to forgo their use." - Galileo Galilei

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Single sign-on with ssh (only unix)

    Hi again folks!

    I eventually got it working partially, but I have a question.

    serenity:~ chrome$ klist -f
    Kerberos 5 ticket cache: 'API:Initial default ccache'
    Default principal: chrome@VALUECOMMERCE.COM

    Valid Starting Expires Service Principal
    06/03/05 11:56:31 06/03/05 21:56:29 krbtgt/
    VALUECOMMERCE.COM@VALUECOMMERCE.COM
    renew until 06/03/05 11:56:31, FPRI
    06/03/05 11:56:37 06/03/05 21:56:29 host/
    monster.sys.intra@VALUECOMMERCE.COM
    renew until 06/03/05 11:56:31, FPRT
    06/03/05 11:56:43 06/03/05 21:56:29 host/
    nuts.sys.intra@VALUECOMMERCE.COM
    renew until 06/03/05 11:56:31, FPRT

    klist: No Kerberos 4 tickets in credentials cache
    serenity:~ chrome$ ssh monster.sys.intra
    Last login: Fri Jun 3 12:22:46 2005 from nuts.sys.intra
    [chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
    Last login: Fri Jun 3 12:22:40 2005 from monster.sys.intra
    [chrome@nuts.sys.intra ~]$ ssh monster.sys.intra
    Last login: Fri Jun 3 12:23:21 2005 from 10.0.13.24
    [chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
    Permission denied (gssapi-with-mic).
    [chrome@monster.sys.intra ~]$

    That should work, right? I should be able to go workstation ->
    monster -> nuts -> monster -> nuts -> monster -> etc

    right?

    serenity:~ chrome$ kinit -f
    Please enter the password for chrome@VALUECOMMERCE.COM:
    serenity:~ chrome$ klist -f
    Kerberos 5 ticket cache: 'API:Initial default ccache'
    Default principal: chrome@VALUECOMMERCE.COM

    Valid Starting Expires Service Principal
    06/03/05 12:24:57 06/03/05 22:24:54 krbtgt/
    VALUECOMMERCE.COM@VALUECOMMERCE.COM
    renew until 06/03/05 12:24:57, FPRI

    klist: No Kerberos 4 tickets in credentials cache
    serenity:~ chrome$ ssh monster.sys.intra
    Last login: Fri Jun 3 12:24:39 2005 from 10.0.13.24
    [chrome@monster.sys.intra ~]$ klist -f
    Ticket cache: FILE:/tmp/krb5cc_500_wG5550
    Default principal: chrome@VALUECOMMERCE.COM

    Valid starting Expires Service principal
    06/03/05 12:25:17 06/03/05 22:24:54 krbtgt/
    VALUECOMMERCE.COM@VALUECOMMERCE.COM
    renew until 06/03/05 12:24:57, Flags: FfPRT


    Kerberos 4 ticket cache: /tmp/tkt500
    klist: You have no tickets cached
    [chrome@monster.sys.intra ~]$ ssh nuts.sys.intra
    Last login: Fri Jun 3 12:23:24 2005 from monster.sys.intra
    [chrome@nuts.sys.intra ~]$ klist -f
    Ticket cache: FILE:/tmp/krb5cc_5002
    Default principal: chrome@VALUECOMMERCE.COM

    Valid starting Expires Service principal
    06/03/05 11:39:57 06/04/05 11:39:57 krbtgt/
    VALUECOMMERCE.COM@VALUECOMMERCE.COM
    renew until 06/03/05 11:39:57, Flags: FRI
    06/03/05 11:40:03 06/04/05 11:39:57 host/
    monster.sys.intra@VALUECOMMERCE.COM
    renew until 06/03/05 11:39:57, Flags: FRT


    Kerberos 4 ticket cache: /tmp/tkt5002
    klist: You have no tickets cached
    [chrome@nuts.sys.intra ~]$ ssh monster.sys.intra
    Last login: Fri Jun 3 12:25:17 2005 from 10.0.13.24
    [chrome@monster.sys.intra ~]$ klist -f
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)


    Kerberos 4 ticket cache: /tmp/tkt500
    klist: You have no tickets cached
    [chrome@monster.sys.intra ~]$

    It seems that after a few hops, i lose the ticket forwarding?

    Regards,

    Nathan.

    --
    Nathan Ollerenshaw / Systems Engineer
    Systems Engineering
    ValueCommerce Co., Ltd.

    Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
    Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
    mailto:nathan@valuecommerce.co.jp

    "The man who carries a cat by the tail learns something
    that can be learned in no other way." - Mark Twain


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Single sign-on with ssh (only unix)

    I would not expect you to lose ticket forwarding. Are some of your
    machines set up to forward tickets (gssapidelegatecredentials yes) and
    some not?

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Single sign-on with ssh (only unix)

    On Jun 3, 2005, at 2:30 PM, Sam Hartman wrote:

    > gssapidelegatecredentials yes


    That doesn't seem to be an option in my openssh?

    Starting sshd:/etc/ssh/sshd_config: line 76: Bad configuration
    option: GSSAPIDelegateCredentials

    Will I need to grab the source RPM and rebuild to get that option? Am
    running FC3.

    The two machines I am testing between seem to delegate credentials
    however; because I can ssh to one, then to the other then back to the
    first but not back to the second a second time ... so its working for
    2 hops. But is should work for any number of hops right?

    Regards,

    Nathan.

    --
    Nathan Ollerenshaw / Systems Engineer
    Systems Engineering
    ValueCommerce Co., Ltd.

    Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
    Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
    mailto:nathan@valuecommerce.co.jp

    "It is a mistake to think you can solve any major
    problems just with potatoes." - Douglas Adams

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Single sign-on with ssh (only unix)

    On Jun 3, 2005, at 2:30 PM, Sam Hartman wrote:

    > I would not expect you to lose ticket forwarding. Are some of your
    > machines set up to forward tickets (gssapidelegatecredentials yes) and
    > some not?


    Oh, I see:

    serenity:~ chrome$ ssh -o "gssapidelegatecredentials yes" nuts.sys.intra
    Last login: Fri Jun 3 14:42:02 2005 from 10.0.13.24
    [chrome@nuts.sys.intra ~]$ ssh -o "gssapidelegatecredentials yes"
    monster.sys.intra
    Last login: Fri Jun 3 13:31:02 2005 from 10.0.13.24
    [chrome@monster.sys.intra ~]$ ssh -o "gssapidelegatecredentials yes"
    nuts.sys.intra
    Last login: Fri Jun 3 14:50:50 2005 from 10.0.13.24
    [chrome@nuts.sys.intra ~]$ ssh -o "gssapidelegatecredentials yes"
    monster.sys.intra
    Last login: Fri Jun 3 14:50:54 2005 from nuts.sys.intra
    [chrome@monster.sys.intra ~]$ ssh -o "gssapidelegatecredentials yes"
    nuts.sys.intra
    Last login: Fri Jun 3 14:51:03 2005 from monster.sys.intra
    [chrome@nuts.sys.intra ~]$ ssh -o "gssapidelegatecredentials yes"
    monster.sys.intra
    Last login: Fri Jun 3 14:51:03 2005 from nuts.sys.intra
    [chrome@monster.sys.intra ~]$

    Yeah, that works. Thanks!

    I think I will write a howto and post it online for people working
    with FC2/3/Macs/Solaris machines

    Regards,

    Nathan.

    --
    Nathan Ollerenshaw / Systems Engineer
    Systems Engineering
    ValueCommerce Co., Ltd.

    Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
    Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
    mailto:nathan@valuecommerce.co.jp

    "It must be remembered that there is nothing more difficult
    to plan, more doubtful of success nor more dangerous to
    manage than the creation of a new system. For the initiator
    has the enmity of all who profit by the preservation of the
    old institution and merely lukewarm defenders in those who
    would gain by the new one." - Nicolo Machiavelli

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread