Native Kerberos Authentication with SSH

This article is about integrating OpenSSH in a kerberos environment. Allthough OpenSSH can provide passwordless logins (through Public/Private keys), it is not a true SSO set-up. This article makes use of Kerberos TGT service to implement a true SSO configuration for OpenSSH.


First off, you'll need to make sure that the OpenSSH server's Kerberos configuration (in /etc/krb5.conf) is correct and works, and that the server's keytab (typically /etc/krb5.keytab) contains an entry for host/fqdn@REALM (case-sensitive). I won't go into details on how this is done again; instead, I'll refer you to any one of the recent Kerberos-related articles (like this one, this one, or even this one). Just be sure that you can issue a kinit -k host/fqdn@REALM and get back a Kerberos ticket without having specify a password. (This tells you that the keytab is working as expected.)

Configuring the SSH Server

Configure `/etc/ssh/sshd_config with the following:

 KerberosAuthentication yes
 KerberosTicketCleanup yes
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes
 UseDNS yes
 UsePAM no

If UseDNS is set to Yes, the ssh server does a reverse host lookup to find the name of the connecting client. This is necessary when host-based authentication is used or when you want last login information to display host names rather than IP addresses. Note: Some ssh sessions stall when performing reverse name lookups because the DNS servers are unreachable. If this happens, you can skip the DNS lookups by setting UseDNS to no. If UseDNS is not explicitly set in the /etc/ssh/sshd_config file, the default value is UseDNS yes.

Configuring the SSH Client

Edit /etc/ssh/ssh_config, and change the file accordingly. For example, we want to enable Kerberos mechanism for all Hosts:

 Host *
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

or to enable to specific domains:

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

This limits GSSAPI authentication to only those hosts in the domain. Modify the domain to be the appropriate domain for your network.

Testing the Configuration

Obtain a valid Kerberos ticket kinit username from the command line. Once you have a ticket, you should be able to simply ssh fqdn.of.server and you will get logged in, without getting prompted for a password. If you get prompted for a password, go back and double-check your keytab, your SSH daemon configuration, and the time configuration on your OpenSSH server. Because Kerberos requires time synchronization, differences of greater than 5 minutes will cause the authentication to fail.