~~Using Kerberos tickets for ssh ~~

Richard E. Silverman res at qoxp.net
Wed Mar 8 21:17:12 EST 2006

>>>>> "LI" == Logarajan  <logarajan at riskspan.com> writes:

    LI> Hi, I have set up a Kerberos Server.  I have created user
    LI> principals on the server.  I am able to get the tickets for the
    LI> user from the KDC.  I want to use this tickets for ssh and other
    LI> logins.  Can anyone help me on the same, how to configure SSH to
    LI> use this tickets for authentication.

The main OpenSSH supports user authentication via GSS/Kerberos.  Roughly:

- Make sure the server has a host principal (host/<fqdn>@REALM) and that
  key is in the server's keytab (usually /etc/krb5.keytab).

- configure server:
    GSSAPIAuthentication yes

- configure client:
    GSSAPIAuthentication yes
    PreferredAuthentications gssapi-with-mic,gssapi,...

- Try it.

Server authentication can be kerberized as well; the Debian ssh-krb5
package has this, as well as OpenSSH with the following patch:


For this, additionally 

  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list