skip navigation

Content:: Kerberos SSH Integration

Configuring SSH and PAM to use Kerberos authentication
Last Modified: 2013-02-06
Kerberos is a ticket based authentication protocol which can be tied into the basic authentication on a Linux system. Our example will allow us to link our systems authentication to the UC Davis kerberos ticketing system.

Table of Contents
Installing Kerberos Clients
Installing the Kerberos Client Configurations # apt-get install krb5-config krb5-clients krb5-user libpam-krb5
	krb5-config - Configuration files for Kerberos Version 5
	krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
	krb5-user - Basic programs to authenticate using MIT Kerberos
	libpam-krb5 - PAM module for MIT Kerberos
Installing SSH Kerberos Client *note you can install this without the configurations. The client will use local PAM usernames and passwords. apt-get install ssh-krb5
Configuring Kerberos to work with the campus
We'll move the original kerberos configuration to another file and create a new configuration file. # mv /etc/krb5.conf /etc/krb5.conf.orig Edit the configuration file. # nano /etc/krb5.conf *The kerberos realms are case sensitive and when set to I believe it will look the DNS address of to find the kerberos servers. As the DNS address is not an FQN or something we'll capitalize it so it checks for the realms in our configuration.
	default_realm = UCDAVIS.EDU
		kdc =
		kdc =
		kdc =
		default_domain =
[domain_realm] = UCDAVIS.EDU = UCDAVIS.EDU
Installing an NTP client
Kerberos tickets will fail if the system date and time are far off from the Kerberos ticket server. To ensure we don't run into this problem we can simply install an NTP client on our system. # apt-get install ntp
Testing our kerberos configurations
We will now test our configuration to see if we did it right. # kinit <user name> we should see a password prompt -
Password for <username>@UCDAVIS.EDU:
Error message (this will occur if we do all lowercase for realm and default realm, and is a probably error for connectivity issues).-
kinit: Client not found in Kerberos database while getting initial credentials
We can see if we authenticated with klist # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@UCDAVIS.EDU

Valid starting     Expires            Service principal
03/23/11 13:51:56  03/24/11 01:51:56  krbtgt/UCDAVIS.EDU@UCDAVIS.EDU
	renew until 03/24/11 13:49:57
We can clean out the kerberos tickets by using the kdestroy command. # kdestroy
Creating an SSH user
The installation files configured how PAM interacts with kerm.d configuration files for more information. Primarily the common-account, common-auth, common-password files.

We can create SSH users and allow them to authenticate. -d change home dir to input, -m create directory, -c comment, -g group (junking -g krbauth cause hmm..) # useradd -c "Kerberos User" -d /home/users/<username> -m -s /bin/bash <username> If we want to remove the user at a later time we can run # deluser <username>
We will not be adding a password, viewing the shadow file # less /etc/shadow should show the user with a blank password by displaying an exclamation mark after the user name.
Test logging into the system. # ssh -l <username> As you have never connected to this system it will not be in the fingerprint list.
The authenticity of host ' (' can't be established.
RSA key fingerprint is e2:18:98:f3:92:25:ef:8f:ab:7a:ed:52:fc:d3:fb:8c.
Are you sure you want to continue connecting (yes/no)? yes
At the password prompt enter your password
Warning: Permanently added '' (RSA) to the list of known hosts.
<username>@'s password:
type "exit" to leave the session.
Changing Local Passwords
Running the passwd command will prompt to change the kerberos password.
If we want to change the password for a user we will have to do it manually.

First we need to install the makepasswd program # apt-get install makepasswd Next we will run a command to generate the password echo <password> | makepasswd --clearfrom=- --crypt-md5 |awk '{print $2}' the output should look similar to
*if the output is blank it may be because your password is longer than what the makepasswd output expects. Remove the awk and find the $1$ as a reference in the string.
We will now copy and paste that string to the shadow file. # nano /etc/shadow Locate the user in the shadow file and replace the ! with the password string