Single sign-on with ssh (only unix)

Nathan Ollerenshaw nathan at valuecommerce.co.jp
Thu Jun 2 05:24:28 EDT 2005


Hi,

I've been banging my head against kerberos for the last few days, and  
I just can't seem to get it working right.

What I want to do is use kerberos as a central authentication  
database as well as for a single sign on solution for SSH, for our  
system administrators to use.

Ideally, I want to be able to have a single machine that all our  
admins can log into (either with kerberos credentials or ssh public  
key auth) and then they kinit on that machine once, then they can log  
into any of our servers transparently using kerberos.

I've been trying to set this up on some test servers, and so far all  
I've managed to is is create a functional kerberos kdc (on Fedora  
Core). I have another FC machine that I configure with 'authconfig'  
to use kerberos - and it works - I can use my kerberos password to  
log into this machine. And on this machine, if I do a klist, I see it  
has a tgt.

But, I can't ssh from that machine to itself or to another machine -  
ssh is not even looking at the tickets.

Has anyone got a better step-by-step guide they can point me at?

Do I need to create individual server principles? How do I do this?  
Do I create sshd/domain principles for ssh? How? How do I log in with  
kadmin on another machine? Where should I store keytabs? do I need to  
export host keytabs?

The documentation is all very flimsy. ALL of the documentation that  
I've seen is basically a copy of the MIT stuff, which doesn't really  
explain any of this fully. For example the redhat documentation just  
tells you how to set up a client and a server, but doesn't tell you  
how to get kerberized sshd working, etc.

Can anyone help?

Regards,

Nathan.

-- 
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.

Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995   Fax. +81.3.3812.4051
mailto:nathan at valuecommerce.co.jp

  "The man who carries a cat by the tail learns something
  that can be learned in no other way." - Mark Twain




More information about the Kerberos mailing list