Kerberos and ssh

[bustthis]

i setup Kerberos last night on my 10.3.4 server and all services are working with it, except for ssh… is there something i need to configure for ssh to work, shouldn’t it just work? afp, smtp and imap are working good, but one of the reasons i setup Kerberos, was to use ssh.

any suggestions?

[honestpuck]

Well, the quick answer is read https://www.afp548.com/Articles/Panther/kerberos2.html for a quick solution.

The slower answer is that the kerberos autoconfig routine in 10.3+ doesn’t fully populate your keytab file for reasons unknown. This means that if you want ssh supported then you need to run sso_util.

sudo sso_util configure -r REALM -a admin_name -p password all

Oh, since you’ve got that far then you might also want a GUI ftp client – if so then you need to grab a copy of Fetch and MIT Kerberos Extras (from MIT). MKE also allows Kerberos single sign on to work in Eudora for those that prefer using it over Mail.app

Have you found the neat little Kerberos utility in /System/Library/Core Services yet? If you don’t install MKE (which creates an alias to this in your Applications folder) you might want to go to a shell prompt and type :

mkalias “/System/Library/Core Services/Kerberos.app” /Applications/Kerberos

(I’ll leave figuring out why you can’t create an alias for this from Finder as an exercise for the reader – this is another ‘feature’ I wish Apple would fix)

I like this tool just for the neat little ticket countdown timer in the Dock icon and that it allows me to log on to my computer using a local login and then grab a ticket using a login name from the LDAP server.

Tony

[bustthis]

thanks for your reply. i followed the article step by step and ran – sudo sso_util configure -r REALM -a admin_name -p password all

this is my keytab:

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
—- —————– ——————————————————–
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]

i will check out the mit extras… i made a symlink to the kerberos.app into my utilities folder and everything seems to be working – imap,smtp, login, afp… i haven’t tried ftp, but when i ssh server.example.com, i am prompted for my password. i see there is some “kerberos stuff” in the sshd_config, but not sure how to configure that and the article suggests that it will work on healthy system…

thanks again,

charles

[honestpuck]

Charles,

That keytab looks fine, similar enough to mine anyway. You might want to force your client to use protocol v2 (with the -2 option).

Note that the user names have to match your currently active key, otherwise you need to use the -l option to the ssh client.

I’d also try a reboot on both boxes.

Tony

[bustthis]

after reboot server and client –

[myclient:~] charlesx% ssh -2 my.server.com
[email protected]’s password:

server’s system log:
Jun 2 22:44:34 charles-x xinetd[8188]: START: ssh pid=18876 from=10.0.1.2
Jun 2 22:44:35 charles-x krb5kdc[536]: TGS_REQ (5 etypes {16 23 1 3 2}) 10.0.1.2: ISSUE: authtime 1086210789, etypes {rep=16 tkt=16 ses=16}, [email protected] for host/[email protected]
Jun 2 22:44:40 charles-x sshd[18876]: Accepted password for charlesx from 10.0.1.2 port 53340 ssh2

looks like it requested the ticket, but i still had to enter my password.

[honestpuck]

Did you check you had a valid ticket using the Kerberos app?

Does ssh -version report ‘OpenSSH_3.6.1’?

What OS version are you running the client on?

Tony

[bustthis]

OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

the client is 10.3.3, server 10.3.4… yes, i get a valid ticket.

a couple of weeks ago, someone suggested to me to take out the flags = REUSE IPv6 line in /etc/xinetd.d/ssh to avoid getting the POSSIBLE BREAKIN ATTEMPTS in my logs, could this be it? also, ever since i installed 10.3.4 update on my server, i get this everytime i log out from a remote login – error: BSM audit: solaris_audit_record failed to write “sshd logout ” record: Operation not supported

i am not sure if either are related…

[honestpuck]

OK, first

1/ ssh to the server any old how

2/ do a ‘kinit’ on the server to get a ticket – you’ll supply your password again.

3/ Try ssh to the server from the server.

This will take the client out of the loop.

I’d also try restoring your ssh to an absolute default, so put back that stuff you removed from the xinet file.

Tony

[bustthis]

no luck.. it seems the host tickets are being created when i ssh, but it always wants my password… which leads me to think this is something to do with my ssh config. i just did a clean install of 10.3.4 six days ago and i think my system is pretty “healthy”… 🙂

thanks for your time,

charles

[Author]

Posts