5.10 Configure Kerberos Server and Client Authentication

Kerberos can be used for mutual authentication (both client and server), or for client authentication only.

  • When the authentication method is gssapi-keyex, both server and client authentication occur during the key exchange portion of the connection negotiations. If this authentication fails, the connection fails; no subsequent authentication methods are attempted.

  • When the authentication method is gssapi-with-mic, Kerberos is not used for server authentication. Client authentication using Kerberos is attempted after successful server authentication. If Kerberos authentication fails, other allowed authentication methods are tried.

Here's a quick summary of the important steps. The details are explained in the procedures that follow.

  1. Configure connections to the KDC.

    • Add the host principal and install a keytab file on the Secure Shell server host.

    • Add client user principals.

  2. Configure the AllowedAuthentications in the server configuration file (as needed).

  3. Configure AllowedAuthentications and GSSAPIDelegateCredentials in the client configuration file (as needed).

  4. Authenticate the client user to the KDC using kinit before you make a Secure Shell connection.

To configure connections to the KDC

  1. Log in to your Secure Shell server.

  2. Confirm that the server is configured to authenticate to your Kerberos realm. If not, install a correctly configured krb5.conf file.

  3. Authenticate to your Kerberos realm using a principal with administrative rights:

    kinit root/admin
  4. Launch the Kerberos administration utility:

    /usr/krb5/sbin/kadmin
  5. Add a host principal for this server. For example, to add the host myhost.sample.com:

    addprinc -randkey host/myhost.sample.com
  6. Extract a keytab file for this server:

    ktadd host/myhost.sample.com
  7. Add a principal for each client user. For example, to add Joe:

    addprinc joe

To configure Secure Shell settings on the server

  1. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.

  2. Edit the AllowedAuthentications keyword:

    To

    Use

    Authenticate both the server and the client using Kerberos

    AllowedAuthentications=gssapi-keyex

    Authenticate only the client using Kerberos

    AllowedAuthentications=gssapi-with-mic

To configure the client

  1. Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.

  2. Edit the AllowedAuthentications keyword:

    To

    Use

    Authenticate both the server and the client using Kerberos

    AllowedAuthentications=gssapi-keyex

    Authenticate only the client using Kerberos

    AllowedAuthentications=gssapi-with-mic

  3. (Optional) Edit the GSSAPIDelegateCredentials keyword if you want to enable ticket forwarding:

    GSSAPIDelegateCredentials=Yes

To obtain Kerberos credentials

Before you can connect to the Secure Shell server, you need to obtain your Kerberos credentials.

  1. Use kinit to authenticate.

    kinit -f

    NOTE:The -f option is not required. This option requests a forwardable ticket. If ticket forwarding has been enabled (using GSSAPIDelegateCredentials) this ticket is forwarded to the server. This means that you can access other kerberized applications without having to obtain additional Kerberos credentials.

  2. Enter your password for the Kerberos KDC.