Environment
openLDAP server : krb-ldap.shadow.com 192.168.122.16 Kerberos KDC : krb-kdc1.shadow.com 192.168.122.18 Client Machine : krb-client.shadow.com 192.168.122.20
Preliminary setup
Add the below entries to /etc/hosts of three machines
192.168.122.16 krb-ldap.shadow.com krb-ldap 192.168.122.18 krb-kdc1.shadow.com krb-kdc1 192.168.122.20 krb-client.shadow.com krb-client
Set proper hostname on all machines. the command hostname -f should return the FQDN of the instances.Thin is really important.
Setting up LDAP authentication
Configuring openldap
[root@krb-ldap ~]# yum install openldap-servers [root@krb-ldap ~]# slappasswd New password: Re-enter new password: {SSHA}VErfr3f/zUoomq1Q8Mx651/yDbNdZ+cN [root@krb-ldap ~]# nano /etc/openldap/slapd.conf [root@krb-ldap ~]# grep -B4 rootpw /etc/openldap/slapd.conf database bdb suffix "dc=krb,dc=shadow,dc=com" rootdn "cn=Manager,dc=krb,dc=shadow,dc=com" rootpw {SSHA}VErfr3f/zUoomq1Q8Mx651/yDbNdZ+cN [root@krb-ldap ~]# chkconfig ldap on ; service ldap restart Stopping slapd: [FAILED] Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ]
Import basic user/group authentication data
[root@krb-ldap ~]# cat base.ldif
dn: dc=krb,dc=shadow,dc=com objectClass: domain objectClass: top dc: krb dn: ou=People,dc=krb,dc=shadow,dc=com objectClass: organizationalUnit objectClass: top ou: People dn: ou=Group,dc=krb,dc=shadow,dc=com objectClass: organizationalUnit objectClass: top ou: Group
Import sample users and groups
[root@krb-ldap ~]# cat users.ldif
dn: uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com objectClass: shadowAccount objectClass: posixAccount objectClass: account objectClass: top cn: Basil Kurian gidNumber: 1000 homeDirectory: /home/bkurian uid: bkurian uidNumber: 1000 gecos: Basil Kurian loginShell: /bin/bash userPassword:: e1NIQX1la1MzUGtWNmd6aldNei9CZ3JzK3dqbC90MWs9 dn: cn=web,ou=Group,dc=krb,dc=shadow,dc=com objectClass: posixGroup objectClass: top cn: web gidNumber: 1005 description: Websites memberUid: bkurian dn: cn=users,ou=Group,dc=krb,dc=shadow,dc=com objectClass: posixGroup objectClass: top cn: users gidNumber: 1000 description: Users dn: uid=milon,ou=People,dc=krb,dc=shadow,dc=com objectClass: shadowAccount objectClass: posixAccount objectClass: account objectClass: top cn: Milon James gidNumber: 1000 homeDirectory: /home/milon uid: milon uidNumber: 1002 gecos: Milon James loginShell: /bin/bash userPassword:: e1NIQX1UbTMwSm4wT1ZwcUJ5VnJadVdGWlV3V0lJa2c9
[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f base.ldif -bash: ldapadd: command not found [root@krb-ldap ~]# [root@krb-ldap ~]# yum install openldap-client
[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f base.ldif -v ldap_initialize( <DEFAULT> ) Enter LDAP Password: add objectClass: domain top add dc: krb adding new entry "dc=krb,dc=shadow,dc=com" modify complete add objectClass: organizationalUnit top add ou: People adding new entry "ou=People,dc=krb,dc=shadow,dc=com" modify complete add objectClass: organizationalUnit top add ou: Group adding new entry "ou=Group,dc=krb,dc=shadow,dc=com" modify complete [root@krb-ldap ~]#
[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f users.ldif -v ldap_initialize( <DEFAULT> ) Enter LDAP Password: add objectClass: shadowAccount posixAccount account top add cn: Basil Kurian add gidNumber: 1000 add homeDirectory: /home/bkurian add uid: bkurian add uidNumber: 1000 add gecos: Basil Kurian add loginShell: /bin/bash add userPassword: {SHA}ekS3PkV6gzjWMz/Bgrs+wjl/t1k= adding new entry "uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com" modify complete add objectClass: posixGroup top add cn: web add gidNumber: 1005 add description: Websites add memberUid: bkurian adding new entry "cn=web,ou=Group,dc=krb,dc=shadow,dc=com" modify complete add objectClass: posixGroup top add cn: users add gidNumber: 1000 add description: Users adding new entry "cn=users,ou=Group,dc=krb,dc=shadow,dc=com" modify complete add objectClass: shadowAccount posixAccount account top add cn: Milon James add gidNumber: 1000 add homeDirectory: /home/milon add uid: milon add uidNumber: 1002 add gecos: Milon James add loginShell: /bin/bash add userPassword: {SHA}Tm30Jn0OVpqByVrZuWFZUwWIIkg= adding new entry "uid=milon,ou=People,dc=krb,dc=shadow,dc=com" modify complete [root@krb-ldap ~]#
Authenticating LDAP users
[root@krb-ldap ~]# authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=krb-ldap.shadow.com --ldapbasedn="dc=krb,dc=shadow,dc=com" --update [root@krb-ldap ~]# ssh bkurian@krb-ldap.shadow.com The authenticity of host 'krb-ldap.shadow.com (192.168.122.16)' can't be established. RSA key fingerprint is 28:14:e7:30:b7:3e:d3:c2:e1:3f:a5:0d:18:a1:c7:34. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'krb-ldap.shadow.com,192.168.122.16' (RSA) to the list of known hosts. bkurian@krb-ldap.shadow.com's password: Creating directory '/home/bkurian'. Creating directory '/home/bkurian/.mozilla'. Creating directory '/home/bkurian/.mozilla/plugins'. Creating directory '/home/bkurian/.mozilla/extensions'. [bkurian@krb-ldap ~]$
Setting up NTP
Kerberos requires time to be in proper sync
[root@krb-ldap ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start
[root@krb-kdc ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start
[root@krb-client ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start
Configuring Kerberos KDC
[root@krb-kdc1 ~]# yum install -y krb5-server krb5-workstation
- Setting up iptables rules
- 192.168.122.0/24 is the local network
[root@krb-kdc1 ~]# iptables -A INPUT -s 192.168.122.0/24 -p tcp --dport 22 -j ACCEPT [root@krb-kdc1 ~]# iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT [root@krb-kdc1 ~]# iptables -P INPUT DROP [root@krb-kdc1 ~]# iptables -N KDC [root@krb-kdc1 ~]# iptables -I INPUT -j KDC [root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24 -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos" [root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24 -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos" [root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24 -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos" [root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24 -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos" [root@krb-kdc1 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@krb-kdc1 ~]# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination YP all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 127.0.0.0/8 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain YP (1 references) target prot opt source destination ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp dpt:88 /* kerberos */ ACCEPT udp -- 192.168.122.0/24 0.0.0.0/0 udp dpt:88 /* kerberos */ ACCEPT udp -- 192.168.122.0/24 0.0.0.0/0 udp dpt:464 /* kerberos */ ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp dpt:749 /* kerberos */ [root@krb-kdc1 ~]# service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@krb-kdc1 ~]#
[root@krb-kdc1 ~]# nano /etc/krb5.conf
[root@krb-kdc1 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SHADOW.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SHADOW.COM = { kdc = krb-kdc1.shadow.com:88 admin_server = krb-kdc1.shadow.com:749 default_domain = shadow.com } [domain_realm] .shadow.com = SHADOW.COM shadow.com = SHADOW.COM [appdefaults] pam = { validate = true debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
[root@krb-kdc1 ~]# nano /var/kerberos/krb5kdc/kdc.conf
[root@krb-kdc1 ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] SHADOW.COM = { # master_key_type = des3-hmac-sha1 default_principal_flags = +preauth acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }
[root@krb-kdc1 ~]# nano /var/kerberos/krb5kdc/kadm5.acl [root@krb-kdc1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@SHADOW.COM * [root@krb-kdc1 ~]#
The above rule grants all rights to any principal authenticated with a /admin instance.
- Make KDC database to hold Kerberos data
[root@krb-kdc1 ~]# kdb5_util create -r SHADOW.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SHADOW.COM', master key name 'K/M@SHADOW.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: [root@krb-kdc1 ~]# ls /var/kerberos/krb5kdc/* /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/principal /var/kerberos/krb5kdc/principal.kadm5.lock /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/principal.kadm5 /var/kerberos/krb5kdc/principal.ok [root@krb-kdc1 ~]#
- Create a principal for the admin user as well as bkurian. Export the admin details to the kadmind key tab.
[root@krb-kdc1 ~]# kadmin.local Authenticating as principal root/admin@SHADOW.COM with password. kadmin.local: addprinc root/admin WARNING: no policy specified for root/admin@SHADOW.COM; defaulting to no policy Enter password for principal "root/admin@SHADOW.COM": Re-enter password for principal "root/admin@SHADOW.COM": Principal "root/admin@SHADOW.COM" created. kadmin.local: addprinc bkurian WARNING: no policy specified for bkurian@SHADOW.COM; defaulting to no policy Enter password for principal "bkurian@SHADOW.COM": Re-enter password for principal "bkurian@SHADOW.COM": Principal "bkurian@SHADOW.COM" created. kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin Entry for principal kadmin/admin with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. kadmin.local: exit [root@krb-kdc1 ~]#
[root@krb-kdc1 ~]# /etc/init.d/krb5kdc start; /etc/init.d/kadmin start ; chkconfig krb5kdc on; chkconfig kadmin on Starting Kerberos 5 KDC: [ OK ] Starting Kerberos 5 Admin Server: [ OK ]
- Copy the krb.conf file to relevant hosts
[root@krb-kdc1 ~]# scp /etc/krb5.conf root@krb-ldap.shadow.com:/etc/ root@krb-ldap.shadow.com's password: krb5.conf 100% 616 0.6KB/s 00:00 [root@krb-kdc1 ~]# scp /etc/krb5.conf root@krb-client.shadow.com:/etc/ root@krb-client.shadow.com's password: krb5.conf 100% 616 0.6KB/s 00:00 [root@krb-kdc1 ~]#
Adding host principals
On krb-kdc1
[root@krb-kdc1 ~]# kadmin.local Authenticating as principal root/admin@SHADOW.COM with password. kadmin.local: addprinc -randkey host/krb-kdc1.shadow.com WARNING: no policy specified for host/krb-kdc1.shadow.com@SHADOW.COM; defaulting to no policy Principal "host/krb-kdc1.shadow.com@SHADOW.COM" created. kadmin.local: ktadd host/krb-kdc1.shadow.com Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin.local: exit [root@krb-kdc1 ~]#
On krb-ldap
[root@krb-ldap ~]# kadmin Authenticating as principal root/admin@SHADOW.COM with password. Password for root/admin@SHADOW.COM: kadmin: addprinc -randkey host/krb-ldap.shadow.com WARNING: no policy specified for host/krb-ldap.shadow.com@SHADOW.COM; defaulting to no policy Principal "host/krb-ldap.shadow.com@SHADOW.COM" created. kadmin: ktadd host/krb-ldap.shadow.com Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit [root@krb-ldap ~]#
On krb-client
[root@krb-client ~]# kadmin Authenticating as principal root/admin@SHADOW.COM with password. Password for root/admin@SHADOW.COM: kadmin: addprinc -randkey host/krb-client.shadow.com WARNING: no policy specified for host/krb-client.shadow.com@SHADOW.COM; defaulting to no policy Principal "host/krb-client.shadow.com@SHADOW.COM" created. kadmin: ktadd host/krb-client.shadow.com Entry for principal host/krb-client.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-client.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-client.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-client.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-client.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/krb-client.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit [root@krb-client ~]#
Delete userPassword information on LDAP database
- Delete userPassword field for the user bkurian (and any other relevant users), to make login via LDAP password impossible.
[root@krb-ldap ~]# nano bkurian.ldif [root@krb-ldap ~]# cat bkurian.ldif dn: uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com changetype: modify delete: userPassword [root@krb-ldap ~]# [root@krb-ldap ~]# ldapmodify -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -v -f bkurian.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: delete userPassword: modifying entry "uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com" modify complete
[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com bkurian@krb-ldap.shadow.com's password: Permission denied, please try again. bkurian@krb-ldap.shadow.com's password:
Enabling Kerberos authentication
[root@krb-ldap ~]# authconfig --enablekrb5 --enablemkhomedir --krb5kdc=krb-kdc1.shadow.com --krb5adminserver=krb-kdc1.shadow.com --krb5realm=SHADOW.COM --update
Veryfying functionality
[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com bkurian@krb-ldap.shadow.com's password: Last login: Tue Mar 6 12:40:19 2012 from krb-client.shadow.com [bkurian@krb-ldap ~]$ logout
Thus we can see that Kerbero authentication is working :)
Veryfying kerberos single singon (SSO)
Create a ticket
[root@krb-client ~]# kinit bkurian Password for bkurian@SHADOW.COM:
List the tickets
[root@krb-client ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bkurian@SHADOW.COM Valid starting Expires Service principal 03/06/12 12:50:38 03/07/12 12:50:38 krbtgt/SHADOW.COM@SHADOW.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@krb-client ~]#
Now login to the servers binded to Kerberos automatically
[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com Last login: Tue Mar 6 12:50:19 2012 from krb-client.shadow.com [bkurian@krb-ldap ~]$
With a much more verbosity
[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com -v OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to krb-ldap.shadow.com [192.168.122.16] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'krb-ldap.shadow.com' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Authentication succeeded (gssapi-with-mic). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Last login: Tue Mar 6 12:53:43 2012 from krb-client.shadow.com [bkurian@krb-ldap ~]$
- KDC logs
Mar 06 12:55:07 krb-kdc1.shadow.com krb5kdc[21230](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.122.20: ISSUE: authtime 1331018707, etypes {rep=18 tkt=18 ses=18}, bkurian@SHADOW.COM for krbtgt/SHADOW.COM@SHADOW.COM Mar 06 12:55:27 krb-kdc1.shadow.com krb5kdc[21230](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.20: ISSUE: authtime 1331018707, etypes {rep=18 tkt=18 ses=18}, bkurian@SHADOW.COM for host/krb-ldap.shadow.com@SHADOW.COM
- SSHD logs
[root@krb-ldap ~]# tail -f /var/log/secure Mar 6 12:55:27 localhost sshd[22249]: Authorized to bkurian, krb5 principal bkurian@SHADOW.COM (krb5_kuserok) Mar 6 12:55:28 localhost sshd[22249]: Accepted gssapi-with-mic for bkurian from 192.168.122.20 port 46343 ssh2 Mar 6 12:55:28 localhost sshd[22249]: pam_unix(sshd:session): session opened for user bkurian by (uid=0)
References
I started with this tutorial : http://rackerhacker.com/2012/02/05/the-kerberos-haters-guide-to-installing-kerberos/
Appendix
sshd config file in RHEL/CentOS 5.x
Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
ssh config file in RHEL/Centos 5.x
Host * GSSAPIAuthentication yes