Table of Contents
Advertisement
# KerberosTicketCleanup yes
# These are for version 2 - better to use this
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart your SSH daemon using rcsshd restart.
To use Kerberos authentication with protocol version 2, enable it on the client side as
well. Do this either in the systemwide configuration file /etc/ssh/ssh_config
or on a per-user level by editing ~/.ssh/config. In both cases, add the option
GSSAPIAuthentication yes.
You should now be able to connect using Kerberos authentication. Use klist to ver-
ify that you have a valid ticket then connect to the SSH server. To force SSH protocol
version 1, specify the -1 option on the command line.
TIP: Additional Information
The file /usr/share/doc/packages/openssh/README.kerberos dis-
cusses the interaction of OpenSSH and Kerberos in more detail.
47.11 Using LDAP and Kerberos
When using Kerberos, one way to distribute the user information (such as user ID,
groups,and home directory) in your local network is to use LDAP. This requires a strong
authentication mechanism that prevents packet spoofing and other attacks. One solution
is to use Kerberos for LDAP communication, too.
OpenLDAP implements most authentication flavors through SASL, the simple authen-
tication session layer. SASL is basically a network protocol designed for authentication.
The SASL implementation is cyrus-sasl, which supports a number of different authen-
tication flavors. Kerberos authentication is performed through GSSAPI (General Secu-
rity Services API). By default, the SASL plug-in for GSSAPI is not installed. Install it
manually with rpm -ivh cyrus-sasl-gssapi-*.rpm.
To enable Kerberos to bind to the OpenLDAP server, create a principal
ldap/earth.example.com and add that to the keytab.
868
Installation and Administration
Advertisement
Table of Contents
Troubleshooting
