Proper procedure for setting up Kerberized OpenSSH?

RCU nemesis at icequake.no_spam.net
Mon Feb 17 09:55:35 EST 2003 

Hi,

I'm looking for some information on what needs to be done to set up
OpenSSH in a Linux Kerberos environment.  Specifically, here is what I
want to do.

I have a machine acting as a SSH/Telnet gateway.  Any access to shells on
other machines must be obtained by first going through this machine.  On
this machine, the user receives a Kerberos ticket.

When the user connects to another machine, I would like the gateway
machine to forward his Kerberos TGT to the new host.  That host would then
obtain a Kerberos ticket on behalf of the user, obtain AFS tokens, and
give the user a shell, without having to enter the password again.  In
essence, I would like the user to, once past the gateway, be able to hop
from box to box, obtaining tickets and AFS token on each machine as
necessary.

I already have set up the login service through the pam_krb5 and
pam_openafs_session modules.  It works fine.  User logs in, gets kerberos
ticket and AFS tokens, logs out, they are destroyed.  I have set up the
ssh service using pam_krb5 as well, but this makes me nervous, as PAM is
known to haunt sysadmins from time to time.  However, it appears to work
mostly as advertised.  Except, the ticket forwarding does not seem to
work. (The user is asked for a password on each machine.)

So here are a few things:
1) Is there anything fundamentally wrong with this idea from a security
standpoint?  I know PAM may be a bad idea for network services, but can
anyone give some specific reasons why, especially with regards to
Kerberos?

2) I installed the ssh-krb5 package (Debian), which is a OpenSSH package
with integrated GSSAPI support.  However, I'm not sure what to do to get
it to use Kerberos for authentication, or for the ticket forwarding to
work.  I tried enabling and disabling all the various GSSAPI and Kerberos
options in the sshd_config, and restarting the server each time, with
always the same results:  user is asked for a password, and it doesn't
accept his Kerberos password.  However, if I add the pam_krb5 to the pam
module stack for the ssh service, it works just as the regular ssh daemon
does.

So, if anyone could shed some light on this, that would be great.  I'm
having trouble finding much good documentation wrt these topics.

Thanks!

More information about the Kerberos mailing list