Configuring Ssh For Kerberos Authentication - Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 08-05-2008 Installation Manual

46.10 Configuring SSH for Kerberos
OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In ver-
sion 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does
not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services
API. This is a programming interface that is not specific to Kerberos—it was designed
to hide the peculiarities of the underlying authentication system, be it Kerberos, a public-
key authentication system like SPKM, or others. The GSSAPI library included supports
only Kerberos, however.
To use sshd with Kerberos authentication, edit /etc/ssh/sshd_config and set
the following options:
# These are for protocol version 1
#
# KerberosAuthentication yes
# KerberosTicketCleanup yes
# These are for version 2 - better to use this
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart your SSH daemon using rcsshd restart.
To use Kerberos authentication with protocol version 2, enable it on the client side as
well. Do this either in the systemwide configuration file /etc/ssh/ssh_config
or on a per-user level by editing ~/.ssh/config. In both cases, add the option
GSSAPIAuthentication yes.
You should now be able to connect using Kerberos authentication. Use klist to ver-
ify that you have a valid ticket then connect to the SSH server. To force SSH protocol
version 1, specify the -1 option on the command line.
TIP: Additional Information
The file /usr/share/doc/packages/openssh/README.kerberos dis-
cusses the interaction of OpenSSH and Kerberos in more detail.
860 Installation and Administration
Authentication