Kerberizing SSHD configuration questions - SSH

This is a discussion on Kerberizing SSHD configuration questions - SSH ; Is this the correct procedure for implementing Kerberos authentication to SSHD? Assuming an SSHD that has been built to support Kerberos. Creating a Kerberized SSH Service. ------------ Create a host principal for the SSH server in the kerberos database. Export ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberizing SSHD configuration questions

  1. Kerberizing SSHD configuration questions

    Is this the correct procedure for implementing Kerberos authentication
    to SSHD? Assuming an SSHD that has been built to support Kerberos.


    Creating a Kerberized SSH Service.
    ------------

    Create a host principal for the SSH server in the kerberos database.

    Export this server information to a .keytab file and securely copy it
    to the Linux Host server.

    Use krutil command to import the keytab file.

    Configure SSHD to use GSAPPI for authentication

    Restart SSHD.

    ------------

    I am working with our ADS administrators and they have never done this
    before. Neither have I so I was hoping someone here could help.

    Thanks,
    -Mark

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  2. Re: Kerberizing SSHD configuration questions


    > Create a host principal for the SSH server in the kerberos database.


    You haven't said what KDC you're using.

    > Export this server information to a .keytab file and securely copy it to
    > the Linux Host server.
    >
    > Use krutil command to import the keytab file.


    I'm not sure what this means - if it's a "keytab" file it should be ready
    to use as is. Perhaps you mean using "ktutil" to merge the new principal
    keys into an existing keytab.

    > Configure SSHD to use GSAPPI for authentication
    >
    > Restart SSHD.


    That's the general process, yes, but there are client issues of course --
    the client has to be kinit, and usually determine the realm of the server
    (although the Microsoft implementation punts that responsibility to the
    domain controller by means of Kerberos "referrals.")

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread