Kerberized ssh¶

If you have kerberos properly installed, you will be able to use "kinit <principal>" to get tickets. Once that is working, you can use those tickets to login to some hosts without using passwords or public keys.

Centos¶

You will need to install kerberos and pam

yum -y install krb5-workstation krb5_pam
authconfig --enablekrb5 --update

Setup ssh config¶

1. Edit your /etc/ssh/ssh_config and make sure it has these settings enabled somewhere under the "Host *" entry
   

      ForwardX11 yes
      ForwardX11trusted yes
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes
      GSSAPITrustDNS yes
   

2. Even better, put those lines in your ~/.ssh_config like so:
   

   Host *
   #   ForwardAgent no
   #   ForwardX11 no
       ForwardX11Trusted yes
   #   RhostsRSAAuthentication no
   #   RSAAuthentication yes
   #   PasswordAuthentication yes
   #   HostbasedAuthentication no
       GSSAPIAuthentication yes
       GSSAPIDelegateCredentials yes
       GSSAPIKeyExchange yes
       GSSAPITrustDNS yes
       SendEnv LANG LC_*
       HashKnownHosts yes
   

3. Do a "kinit"
4. Try ssh-ing to a host that has been setup for this. It must have a valid Kerberos srvtab and DNS to work properly.

For giving access to an account different than your username¶

If you want to allow ssh access for users that are different than it. (for instance to root)

1. Go to the user's homedirectory
2. Create/edit a .k5login file in that homedirectory
3. Put the list of principals in that file (one per line) that should have access
4. kinit and get tickets
5. Test by ssh username@host and seeing if it works
6. This will also enable the ksu command to give you access when you are logged in locally