SSH Service

SSH has built-in support for Kerberos (many other applications use PAM). Follow the instructions below to get SSH login with Kerberos working on your Linux system.

sshd Configration

To allow login via SSH using a kerberos ticket please make sure that the following options are present and have the given value in /etc/ssh/sshd_config:

GSSAPIAuthentication yes
GSSAPIStrictAcceptorCheck no
GSSAPICleanupCredentials no
GSSAPIStoreCredentialsOnRekey yes
GSSAPIKeyExchange yes

If you have to change /etc/ssh/sshd_config as root then also restart the sshd service:

systemctl restart sshd.service

Kerberos login in SSH only works if the system has a system keytab for a computer object. It does not work when using user keytab as system keytab.

ssh Configuration

Kerberos authentication and ticket forwarding must first be enabled for the OpenSSH client.

Edit /etc/ssh/ssh_config as root and replace the contents with the text below:

SendEnv LANG LANGUAGE XMODIFIERS LC_*

ServerAliveInterval 300
ServerAliveCountMax 12

ForwardAgent yes

Match user root
   ForwardX11 no
   ForwardX11Trusted no

Host localhost,localhost.localdomain,localhost4,localhost4.localdomain4,localhost6,localhost6.localdomain6
   NoHostAuthenticationForLocalhost yes
   ForwardX11 yes
   ForwardX11Trusted yes

Host *
   ForwardX11 yes
   ForwardX11Trusted yes
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   GSSAPIRenewalForcesRekey yes
   GSSAPIKeyExchange yes

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxKerberosSSH
2024-12-30
© 2024 Eidgenössische Technische Hochschule Zürich