47.10 Configuring SSH for Kerberos Authentication
OpenSSH supports Kerberos authentication in both
protocol version 1 and 2. In version 1, there are special protocol
messages to transmit Kerberos tickets.
Version 2 does not use Kerberos directly
anymore, but relies on GSSAPI, the General Security Services
API. This is a programming interface that is not specific to
Kerberos—it was designed to hide the
peculiarities of the underlying authentication system, be it
Kerberos, a public-key authentication system like
SPKM, or others. The GSSAPI library included supports only
Kerberos, however.
To use sshd with Kerberos authentication, edit
/etc/ssh/sshd_config and set the following
options:
# These are for protocol version 1
#
# KerberosAuthentication yes
# KerberosTicketCleanup yes
# These are for version 2 - better to use this
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart your SSH daemon using rcsshd
restart.
To use Kerberos authentication with protocol
version 2, enable it on the client side as well. Do this either in the
systemwide configuration file /etc/ssh/ssh_config or
on a per-user level by editing ~/.ssh/config. In both
cases, add the option GSSAPIAuthentication yes.
You should now be able to connect using Kerberos
authentication. Use klist to verify that you have a valid
ticket then connect to the SSH server. To force SSH protocol version 1,
specify the -1 option on the command line.
HINT: Additional Information
The file
/usr/share/doc/packages/openssh/README.kerberos
discusses the interaction of OpenSSH and
Kerberos in more detail.