A way to automatically get a ticket through ssh for a local user

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

A way to automatically get a ticket through ssh for a local user

Mauro Cazzari
I've been trying to figure out whether there is a way for a local user on
Unix to automatically get a ticket when logging onto a server using ssh.
Keep in mind that the KDC being used doesn't interface with LDAP, but it's
rather a standalone KDC. After having added a principle to the KDC for a
test id, I was able to log on to the ssh server and see that a ticket had
been acquired. However, any subsequent logons to other ssh servers generate
no tickets at all. For completeness, the first logon asks for a password,
whereas the others don't. If I force the use of a password for the other
logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
from one server to another getting a new ticket every time.
These are the current settings I have in ssh_config:
Host *
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
        GSSAPIKeyExchange yes
These are my settings in sshd_config:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes

UsePAM yes
Is there anything else that needs to be set in order for tickets to be
automatically generated following a ssh to a server?
Thanks!
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Brandon Allbery
On 7/14/16, 17:32, "[hidden email] on behalf of Mauro Cazzari" <[hidden email] on behalf of [hidden email]> wrote:

    # Kerberos options
    KerberosAuthentication yes
    KerberosOrLocalPasswd yes
    KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes
   
   
I would turn these off; they refer to an older Kerberos API in ssh and may interfere with GSSAPI.

The others look correct. Note that if it is using public key authentication to get to the next server, it will not use the Kerberos code and therefore won’t forward (delegate) credentials to the next server. (Also note that if there are other matching Host blocks, the “Host *” block in ssh_config won’t be used.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Benjamin Kaduk-2
In reply to this post by Mauro Cazzari
On Thu, 14 Jul 2016, Mauro Cazzari wrote:

> I've been trying to figure out whether there is a way for a local user on
> Unix to automatically get a ticket when logging onto a server using ssh.

This terminology is sufficiently vague that I'm not entirely sure what
behavior you actually want.

By "ticket", do you mean "fresh TGT", "service ticket for
host/<ssh-server>", or something else?

Do you expect the local user to have to enter a password when logging into
the server?

> Keep in mind that the KDC being used doesn't interface with LDAP, but it's
> rather a standalone KDC. After having added a principle to the KDC for a
> test id, I was able to log on to the ssh server and see that a ticket had
> been acquired. However, any subsequent logons to other ssh servers generate
> no tickets at all. For completeness, the first logon asks for a password,
> whereas the others don't. If I force the use of a password for the other
> logons, then a ticket gets regularly generated. Ideally, I'd like to ssh

This sounds consistent with pam_krb5 being in the stack on the server,
since it can use the supplied password to obtain a TGT for the ensuing
session.  (But is it what you want?)

> from one server to another getting a new ticket every time.
> These are the current settings I have in ssh_config:
> Host *
>         GSSAPIAuthentication yes
>         GSSAPIDelegateCredentials yes
>         GSSAPIKeyExchange yes
> These are my settings in sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes

As Brandon said, these are old/deprecated and it is unusual for them to be
the desired configuration.  But I don't know enough about what you want in
order to be able to say that for sure.

-Ben

> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> UsePAM yes
> Is there anything else that needs to be set in order for tickets to be
> automatically generated following a ssh to a server?
> Thanks!
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Diogenes S. Jesus
In reply to this post by Mauro Cazzari
Hi

Apart from what the others said, don't forget your sshd server must have
"GSSAPIAuthentication yes" on your sshd_config - the default is no.

Dio

On Thu, Jul 14, 2016 at 11:32 PM, Mauro Cazzari <[hidden email]> wrote:

> I've been trying to figure out whether there is a way for a local user on
> Unix to automatically get a ticket when logging onto a server using ssh.
> Keep in mind that the KDC being used doesn't interface with LDAP, but it's
> rather a standalone KDC. After having added a principle to the KDC for a
> test id, I was able to log on to the ssh server and see that a ticket had
> been acquired. However, any subsequent logons to other ssh servers generate
> no tickets at all. For completeness, the first logon asks for a password,
> whereas the others don't. If I force the use of a password for the other
> logons, then a ticket gets regularly generated. Ideally, I'd like to ssh
> from one server to another getting a new ticket every time.
> These are the current settings I have in ssh_config:
> Host *
>         GSSAPIAuthentication yes
>         GSSAPIDelegateCredentials yes
>         GSSAPIKeyExchange yes
> These are my settings in sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> UsePAM yes
> Is there anything else that needs to be set in order for tickets to be
> automatically generated following a ssh to a server?
> Thanks!
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--

--------

Diogenes S. de Jesus
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Mark Pröhl
In reply to this post by Brandon Allbery
On 07/15/2016 12:25 AM, Brandon Allbery wrote:

> On 7/14/16, 17:32, "[hidden email] on behalf of Mauro Cazzari" <[hidden email] on behalf of [hidden email]> wrote:
>
>     # Kerberos options
>     KerberosAuthentication yes
>     KerberosOrLocalPasswd yes
>     KerberosTicketCleanup yes
>     #KerberosGetAFSToken no
>     #KerberosUseKuserok yes
>    
>    
> I would turn these off; they refer to an older Kerberos API in ssh and may interfere with GSSAPI.
>
> The others look correct. Note that if it is using public key authentication to get to the next server, it will not use the Kerberos code and therefore won’t forward (delegate) credentials to the next server. (Also note that if there are other matching Host blocks, the “Host *” block in ssh_config won’t be used.
>
>

and remember that tickets need to be flagged as forwardable (i.e. "kinit
-f ..." or by setting "forwardable  = true" in /etc/krb5.conf,
[libdefaults])
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Brandon Allbery
In reply to this post by Benjamin Kaduk-2
Last time I looked at the openssh source code, turning them on could interfere with the GSSAPI code: notably, it could cause the “old style” ticket forwarding hack to be attempted instead of GSSAPI credential delegation, which will fail with GSSAPI credentials.

On 7/15/16, 01:39, "[hidden email] on behalf of Benjamin Kaduk" <[hidden email] on behalf of [hidden email]> wrote:

    >KerberosAuthentication yes
    >KerberosOrLocalPasswd yes
    >KerberosTicketCleanup yes
    >#KerberosGetAFSToken no
    >#KerberosUseKuserok yes
   
    As Brandon said, these are old/deprecated and it is unusual for them to be
    the desired configuration.  But I don't know enough about what you want in
    order to be able to say that for sure.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: A way to automatically get a ticket through ssh for a local user

Diogenes S. Jesus
I've recently encountered with this "limitation" when trying to bootstrap
systems to use SSSD+GSSAPI (Kerberos) when they are first provisioned using
ssh-key (e.g. Openstack).
Once you go pubkey, GSSAPI cred forwarding isn't available in this
context.. and that's a bit frustrating, but that's the way things are.

On Sat, Jul 16, 2016 at 2:26 AM, Brandon Allbery <[hidden email]>
wrote:

> Last time I looked at the openssh source code, turning them on could
> interfere with the GSSAPI code: notably, it could cause the “old style”
> ticket forwarding hack to be attempted instead of GSSAPI credential
> delegation, which will fail with GSSAPI credentials.
>
> On 7/15/16, 01:39, "[hidden email] on behalf of Benjamin Kaduk"
> <[hidden email] on behalf of [hidden email]> wrote:
>
>     >KerberosAuthentication yes
>     >KerberosOrLocalPasswd yes
>     >KerberosTicketCleanup yes
>     >#KerberosGetAFSToken no
>     >#KerberosUseKuserok yes
>
>     As Brandon said, these are old/deprecated and it is unusual for them
> to be
>     the desired configuration.  But I don't know enough about what you
> want in
>     order to be able to say that for sure.
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--

--------

Diogenes S. de Jesus
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos