Actions: | Security

AllGoodBits.org

Navigation: Home | Services | Tools | Articles | Other

Single Sign On with OpenSSH and Kerberos

From a convenience perspective, I want to authenticate as infrequently as possible. However, security requirements suggest that I should be authenticated for all sorts of services. This means that Single Sign On and forwardable authentication credentials would be useful.

Within an individual organisation at least, it is useful and fairly straightforward to have centralised control for authentication services. More and more authorisation and applications services are able to use centralised authentication services such as Kerberos.

This document will demonstrate how to configure a machine running OpenSSH server to use GSSAPI so that users can log in if they have authorised kerberos tickets. This is not the place for extensive explanations about tickets or how to set up the Key Distribution Center(KDC) in the first place or how to build or install the necessary software on various different unixlike systems. Likely, your distribution's package management system can provide you with what you need.

Kerberos

All destination machines should have /etc/krb5.conf modified to allow forwardable tickets:

[libdefaults]
    default_realm = ALLGOODBITS.ORG
    forwardable = TRUE
[realms]
    ALLGOODBITS.ORG = {
                    kdc = kerberos.allgoodbits.org
                    }

Using kadmin, create a principal for a user:

kadmin> ank <username>@<REALM>

Here the process differs depending upon whether you're using MIT Kerberos (probably) or Heimdal.

MIT

Create a principal for the host:

kadmin> ank -randkey host/<FQDN>@<REALM>

Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

kadmin> ktadd -k /tmp/<FQDN>.keytab host/<FQDN>

Heimdal

Create a principal for the host:

kadmin> ank -r host/<FQDN>@<REALM>

Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

kadmin> ext -k /tmp/<FQDN>.keytab host/<FQDN>@<REALM>

SSH

Then we need to take the keytab file into which you extracted the key for the host principal and copy it to the location on the ssh server where sshd will look for it, probably /etc/krb5.keytab.

We need to configure sshd_config(5). The important options start with GSSAPI, not to be confused with the Kerberos options which are merely for KDC-validated password authentication; the GSSAPI method allows authentication and login based upon existing tickets. In other words, the "Kerberos" method requires you to enter your password (again), GSSAPI will allow login based on upon the tickets you already have.

sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
PermitRootLogin without-password

ssh_config:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

PAM

Linux Pluggable Authentication Modules(PAM) provide a common framework for authentication/authorisation for applications.

/etc/pam.d/common-account:

account sufficient      pam_krb5.so     use_first_pass

/etc/pam.d/common-auth:

auth    sufficient      pam_krb5.so     use_first_pass

/etc/pam.d/common-password:

password        sufficient      pam_krb5.so

/etc/pam.d/common-session:

session optional      pam_krb5.so

This is sufficient to allow OpenAFS based home directories because although AFS uses Kerberosv4, MIT Kerberos does 5 to 4 ticket conversion on the fly.

Troubleshooting