Kerberized ssh » History » Version 1
Joseph Foley, 2015-09-05 02:45
| 1 | 1 | Joseph Foley | h1. Kerberized ssh |
|---|---|---|---|
| 2 | |||
| 3 | If you have kerberos properly installed, you will be able to use "kinit <principal>" to get tickets. Once that is working, you can use those tickets to login to some hosts without using passwords or public keys. |
||
| 4 | |||
| 5 | h2. Centos |
||
| 6 | |||
| 7 | You will need to install kerberos and pam |
||
| 8 | <pre> |
||
| 9 | yum -y install krb5-workstation krb5_pam |
||
| 10 | authconfig --enablekrb5 --update |
||
| 11 | </pre> |
||
| 12 | |||
| 13 | h2. Setup ssh config |
||
| 14 | |||
| 15 | # Edit your @/etc/ssh/ssh_config@ and make sure it has these settings enabled somewhere under the "Host *" entry |
||
| 16 | <pre> |
||
| 17 | ForwardX11 yes |
||
| 18 | ForwardX11trusted yes |
||
| 19 | GSSAPIAuthentication yes |
||
| 20 | GSSAPIDelegateCredentials yes |
||
| 21 | GSSAPITrustDNS yes |
||
| 22 | </pre> |
||
| 23 | # Even better, put those lines in your ~/.ssh_config like so: |
||
| 24 | <pre> |
||
| 25 | Host * |
||
| 26 | # ForwardAgent no |
||
| 27 | # ForwardX11 no |
||
| 28 | ForwardX11Trusted yes |
||
| 29 | # RhostsRSAAuthentication no |
||
| 30 | # RSAAuthentication yes |
||
| 31 | # PasswordAuthentication yes |
||
| 32 | # HostbasedAuthentication no |
||
| 33 | GSSAPIAuthentication yes |
||
| 34 | GSSAPIDelegateCredentials yes |
||
| 35 | GSSAPIKeyExchange yes |
||
| 36 | GSSAPITrustDNS yes |
||
| 37 | SendEnv LANG LC_* |
||
| 38 | HashKnownHosts yes |
||
| 39 | </pre> |
||
| 40 | # Do a "kinit" |
||
| 41 | # Try ssh-ing to a host that has been setup for this. It must have a valid Kerberos srvtab and DNS to work properly. |
||
| 42 | |||
| 43 | h2. For giving access to an account different than your username |
||
| 44 | |||
| 45 | If you want to allow ssh access for users that are different than it. (for instance to root) |
||
| 46 | # Go to the user's homedirectory |
||
| 47 | # Create/edit a @.k5login@ file in that homedirectory |
||
| 48 | # Put the list of principals in that file (one per line) that should have access |
||
| 49 | # @kinit@ and get tickets |
||
| 50 | # Test by @ssh username@host@ and seeing if it works |
||
| 51 | # This will also enable the @ksu@ command to give you access when you are logged in locally |