Single sign-on with ssh (only unix)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Single sign-on with ssh (only unix)

Nathan Ollerenshaw
Hi,

I've been banging my head against kerberos for the last few days, and  
I just can't seem to get it working right.

What I want to do is use kerberos as a central authentication  
database as well as for a single sign on solution for SSH, for our  
system administrators to use.

Ideally, I want to be able to have a single machine that all our  
admins can log into (either with kerberos credentials or ssh public  
key auth) and then they kinit on that machine once, then they can log  
into any of our servers transparently using kerberos.

I've been trying to set this up on some test servers, and so far all  
I've managed to is is create a functional kerberos kdc (on Fedora  
Core). I have another FC machine that I configure with 'authconfig'  
to use kerberos - and it works - I can use my kerberos password to  
log into this machine. And on this machine, if I do a klist, I see it  
has a tgt.

But, I can't ssh from that machine to itself or to another machine -  
ssh is not even looking at the tickets.

Has anyone got a better step-by-step guide they can point me at?

Do I need to create individual server principles? How do I do this?  
Do I create sshd/domain principles for ssh? How? How do I log in with  
kadmin on another machine? Where should I store keytabs? do I need to  
export host keytabs?

The documentation is all very flimsy. ALL of the documentation that  
I've seen is basically a copy of the MIT stuff, which doesn't really  
explain any of this fully. For example the redhat documentation just  
tells you how to set up a client and a server, but doesn't tell you  
how to get kerberized sshd working, etc.

Can anyone help?

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "The man who carries a cat by the tail learns something
  that can be learned in no other way." - Mark Twain


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Single sign-on with ssh (only unix)

Nathan Ollerenshaw
Hi,

Please, can someone help me? Every other kid on the block has  
Kerberos working but me. Its embarrassing. Even my mum has Kerberos  
working and when I ask her for help, she just laughs at me down the  
phone. :(

I have 3 machines that I'm testing with.

dns1.sys.intra: kdc
monster.sys.intra: a client
nuts.sys.intra: a client

I want to be able to kinit on either monster or nuts and then ssh  
without password between the client machines. The OS on the clients  
is FC3 and the server is FC2.

After installation, I had the following principles:

K/[hidden email]
[hidden email]
kadmin/[hidden email]
kadmin/[hidden email]
kadmin/[hidden email]
krbtgt/[hidden email]


At this point, pam authentication with kerberos works if I go into  
authconfig on the FC3 machinees and set the kerberos option to 'on'.  
All this does is create a (bad) krb5.conf file and enable the pam  
entries I think.

All machines have a 'chrome' account, so when I ssh to monster or  
nuts with my kerberos password, it would work. Using my old password  
also works. Doing a klist on the machine I ssh to shows the tickets:

Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: [hidden email]

Valid starting     Expires            Service principal
06/02/05 17:36:09  06/03/05 17:36:09  krbtgt/
[hidden email]
         renew until 06/02/05 17:36:09

But this ticket doesn't let me into the other machine. I assumed this  
was due to not having host keys and a bad sshd config, so I then  
installed host principles for the machines involved. First dns1:

kadmin.local:  ank -randkey host/dns1.sys.intra
WARNING: no policy specified for host/
[hidden email]; defaulting to no policy
Principal "host/[hidden email]" created.
kadmin.local:  ktadd host/dns1.sys.intra
Entry for principal host/dns1.sys.intra with kvno 3, encryption type  
Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/
krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type  
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type  
DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type  
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.

Then monster:

kadmin.local:  ank -randkey host/monster.sys.intra
WARNING: no policy specified for host/
[hidden email]; defaulting to no policy
Principal "host/[hidden email]" created.
kadmin.local:  ktadd
kadmin.local:  ktadd -k /root/monster.sys.intra.keytab host/
monster.sys.intra
Entry for principal host/monster.sys.intra with kvno 3, encryption  
type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption  
type ArcFour with HMAC/md5 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption  
type DES with HMAC/sha1 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption  
type DES cbc mode with RSA-MD5 added to keytab

Then nuts:

WRFILE:/root/monster.sys.intra.keytab.
kadmin.local:  ank -randkey host/nuts.sys.intra
WARNING: no policy specified for host/
[hidden email]; defaulting to no policy
Principal "host/[hidden email]" created.
kadmin.local:  ktadd -k /root/nuts.sys.intra.keytab
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -
glob princ-exp] [...]
kadmin.local:  ktadd -k /root/nuts.sys.intra.keytab host/nuts.sys.intra
Entry for principal host/nuts.sys.intra with kvno 3, encryption type  
Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type  
ArcFour with HMAC/md5 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type  
DES with HMAC/sha1 added to keytab WRFILE:/root/nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type  
DES cbc mode with RSA-MD5 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.

I then scp'd the keytab for monster and nuts over to them and moved  
them to /etc/krb5.keytab.

And it didn't work. I messed around, turning off GSSAPI, turning off  
KerberosAuthentication and having GSSAPI ... nothing worked.

Do I need to create service keys? Can anyone tell me what the sshd  
server should be set as?

Messing about with any of this doesn't have any affect at the moment:

ChallengeResponseAuthentication yes
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

I assume thats because it's using PAM and not the sshd' kerberos  
support.

The Kerberos howtos that I've read go all the way through to setting  
up ktelnet etc but not ssh! I havn't been able to find a single piece  
of documentation on setting up sshd with kerberos tickets with  
forwarding etc. I must be blind.

Can anyone please help? I'll owe you beer. In fact, if you're in/
around San Jose in a week's time, I'll even BUY you REAL BEER, not  
this virtual stuff. Honest!

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "I do not feel obliged to believe that the same God who has
  endowed us with sense, reason, and intellect has intended
  us to forgo their use." - Galileo Galilei

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Single sign-on with ssh (only unix)

Nathan Ollerenshaw
Hi again folks!

I eventually got it working partially, but I have a question.

serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [hidden email]

Valid Starting     Expires            Service Principal
06/03/05 11:56:31  06/03/05 21:56:29  krbtgt/
[hidden email]
         renew until 06/03/05 11:56:31, FPRI
06/03/05 11:56:37  06/03/05 21:56:29  host/
[hidden email]
         renew until 06/03/05 11:56:31, FPRT
06/03/05 11:56:43  06/03/05 21:56:29  host/
[hidden email]
         renew until 06/03/05 11:56:31, FPRT

klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun  3 12:22:46 2005 from nuts.sys.intra
[[hidden email] ~]$ ssh nuts.sys.intra
Last login: Fri Jun  3 12:22:40 2005 from monster.sys.intra
[[hidden email] ~]$ ssh monster.sys.intra
Last login: Fri Jun  3 12:23:21 2005 from 10.0.13.24
[[hidden email] ~]$ ssh nuts.sys.intra
Permission denied (gssapi-with-mic).
[[hidden email] ~]$

That should work, right? I should be able to go workstation ->  
monster -> nuts -> monster -> nuts -> monster -> etc

right?

serenity:~ chrome$ kinit -f
Please enter the password for [hidden email]:
serenity:~ chrome$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [hidden email]

Valid Starting     Expires            Service Principal
06/03/05 12:24:57  06/03/05 22:24:54  krbtgt/
[hidden email]
         renew until 06/03/05 12:24:57, FPRI

klist: No Kerberos 4 tickets in credentials cache
serenity:~ chrome$ ssh monster.sys.intra
Last login: Fri Jun  3 12:24:39 2005 from 10.0.13.24
[[hidden email] ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500_wG5550
Default principal: [hidden email]

Valid starting     Expires            Service principal
06/03/05 12:25:17  06/03/05 22:24:54  krbtgt/
[hidden email]
         renew until 06/03/05 12:24:57, Flags: FfPRT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[[hidden email] ~]$ ssh nuts.sys.intra
Last login: Fri Jun  3 12:23:24 2005 from monster.sys.intra
[[hidden email] ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: [hidden email]

Valid starting     Expires            Service principal
06/03/05 11:39:57  06/04/05 11:39:57  krbtgt/
[hidden email]
         renew until 06/03/05 11:39:57, Flags: FRI
06/03/05 11:40:03  06/04/05 11:39:57  host/
[hidden email]
         renew until 06/03/05 11:39:57, Flags: FRT


Kerberos 4 ticket cache: /tmp/tkt5002
klist: You have no tickets cached
[[hidden email] ~]$ ssh monster.sys.intra
Last login: Fri Jun  3 12:25:17 2005 from 10.0.13.24
[[hidden email] ~]$ klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[[hidden email] ~]$

It seems that after a few hops, i lose the ticket forwarding?

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "The man who carries a cat by the tail learns something
  that can be learned in no other way." - Mark Twain


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Single sign-on with ssh (only unix)

hartmans
I would not expect you to lose ticket forwarding.  Are some of your
machines set up to forward tickets (gssapidelegatecredentials yes) and
some not?

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Single sign-on with ssh (only unix)

Nathan Ollerenshaw
On Jun 3, 2005, at 2:30 PM, Sam Hartman wrote:

> gssapidelegatecredentials yes

That doesn't seem to be an option in my openssh?

Starting sshd:/etc/ssh/sshd_config: line 76: Bad configuration  
option: GSSAPIDelegateCredentials

Will I need to grab the source RPM and rebuild to get that option? Am  
running FC3.

The two machines I am testing between seem to delegate credentials  
however; because I can ssh to one, then to the other then back to the  
first but not back to the second a second time ... so its working for  
2 hops. But is should work for any number of hops right?

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "It is a mistake to think you can solve any major
  problems just with potatoes." - Douglas Adams

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Single sign-on with ssh (only unix)

Nathan Ollerenshaw
In reply to this post by hartmans
On Jun 3, 2005, at 2:30 PM, Sam Hartman wrote:

> I would not expect you to lose ticket forwarding.  Are some of your
> machines set up to forward tickets (gssapidelegatecredentials yes) and
> some not?

Oh, I see:

serenity:~ chrome$ ssh -o "gssapidelegatecredentials yes" nuts.sys.intra
Last login: Fri Jun  3 14:42:02 2005 from 10.0.13.24
[[hidden email] ~]$ ssh -o "gssapidelegatecredentials yes"  
monster.sys.intra
Last login: Fri Jun  3 13:31:02 2005 from 10.0.13.24
[[hidden email] ~]$ ssh -o "gssapidelegatecredentials yes"  
nuts.sys.intra
Last login: Fri Jun  3 14:50:50 2005 from 10.0.13.24
[[hidden email] ~]$ ssh -o "gssapidelegatecredentials yes"  
monster.sys.intra
Last login: Fri Jun  3 14:50:54 2005 from nuts.sys.intra
[[hidden email] ~]$ ssh -o "gssapidelegatecredentials yes"  
nuts.sys.intra
Last login: Fri Jun  3 14:51:03 2005 from monster.sys.intra
[[hidden email] ~]$ ssh -o "gssapidelegatecredentials yes"  
monster.sys.intra
Last login: Fri Jun  3 14:51:03 2005 from nuts.sys.intra
[[hidden email] ~]$

Yeah, that works. Thanks!

I think I will write a howto and post it online for people working  
with FC2/3/Macs/Solaris machines :)

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "It must be remembered that there is nothing more difficult
  to plan, more doubtful of success nor more dangerous to
  manage than the creation of a new system. For the initiator
  has the enmity of all who profit by the preservation of the
  old institution and merely lukewarm defenders in those who
  would gain by the new one." - Nicolo Machiavelli

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

AW: Single sign-on with ssh (only unix)

Barbat, Calin
In reply to this post by Nathan Ollerenshaw
Good idea, I'd be also interested in the How To. Could you please send it (or URL where to find it) to me too?

Mit freundlichen Grüßen / Best regardsbe also

Calin Barbat
OSRAM GmbH / IT SP6
Hellabrunnerstr. 1
81543 München

-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im Auftrag von Nathan Ollerenshaw
Gesendet: Freitag, 3. Juni 2005 07:54
An: Sam Hartman
Cc: [hidden email]
Betreff: Re: Single sign-on with ssh (only unix)

I think I will write a howto and post it online for people working with FC2/3/Macs/Solaris machines :)

Regards,

Nathan.

--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:[hidden email]

  "It must be remembered that there is nothing more difficult
  to plan, more doubtful of success nor more dangerous to
  manage than the creation of a new system. For the initiator
  has the enmity of all who profit by the preservation of the
  old institution and merely lukewarm defenders in those who
  would gain by the new one." - Nicolo Machiavelli

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos