Logo-500px-300x300

 

OpenSSH uses GSS-API to authenticate users to servers if the client’s and server’s configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user’s credentials are made available on the remote system.

#grep  “GSS*”  /etc/ssh/sshd_config

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

#service  sshd restart

From the ssh server  ,log in as the kerberos administrator

 

#kadmin root/admin

Authenticating as principal root/admin@SATHISH.COM with password:
Password for root/admin@SATHISH.COM:

Create prinicipal for the host in arthar2.sathish.com

#Kadmin: addprinc  host/arthar2.sathish.com

Create a keytab file for the ssh server

#kadmin: ktadd -k /etc/krb5.keytab host/arthar2.sathish.com

Entry for principal host/arthar2.sathish.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/arthar2.sathish.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/arthar2.sathish.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/arthar2.sathish.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/arthar2.sathish.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/arthar2.sathish.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

#klist -k -t /etc/krb5.keytab

Keytab name: WRFILE:/etc/krb5.keytab
KVNO        Timestamp         Principal
—- —————– ——————————————————–
3   05/07/13 12:28:47  host/arthar2.sathish.com@SATHISH.COM
3   05/07/13   12:28:47 host/arthar2.sathish.com@SATHISH.COM
3   05/07/13     12:28:48 host/arthar2.sathish.com@SATHISH.COM
3   05/07/13     12:28:48 host/arthar2..sathish.com@SATHISH.COM
3   05/07/13     12:28:48 host/arthar2.sathish.com@SATHISH.COM
3   05/07/13     12:28:48 host/arthar2.sathish.com@SATHISH.COM

Now you should be able to log in from a client as follows. Note that you don’t have to enter my password on the ssh server ,because here using the ticket got form the kdc.

 

 

6

 

#kinit arthar2
Password for arthar2@SATHISH.COM:

Form the user arthar2 as a client login into ssh server  arthar2.sathish.com without prompting the password

#ssh arthar2.sathish.com

After login in to ssh server ,enter the command klist to view the ticket information

#klist

Ticket cache: FILE:/tmp/krb5cc_500_zuizV31780

Default principal: arthar2@SATHISH.COM

Valid starting                      Expires                                    Service principal

05/07/12 10:55:23         05/08/12 10:54:42          krbtgt/SATHISH.COM@SATHISH.COM

 7

Interesting to note, once you have logged off the ssh server, you have a host ticket cached