OpenSSH Single sign-on

Revision as of 18:16, 27 August 2015 by Mmuehlfeld (talk | contribs) (Moved content from a larger page to a new separate one for better maintainance)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This section explains how to allow passwordless SSH between Samba AD joined Linux hosts (or Passwordless SSH using Putty from Windows machines joined to the same domain).

This section assumes your joined machine's krb5.conf files are appropriately configured (usually this happens automatically when they are joined) and are set to point to a suitable krb5 keytab. This is generated by running "net ads keytab create" (on the joined machine), which will usually put this in a suitable place for kerberos to find, by default /etc/krb5.keytab. If not, you may need to add "default_keytab_name" entry in you krb5.conf to point to the generated /etc/krb5.keytab.

Also on DNS, we require working forward and reverse entries for the SSH servers. See the Apache Single Sign-On section for how to achieve this.

In /etc/ssh/sshd_config ensure you have the following options set:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes                # If your version supports this
GSSAPIStoreCredentialsOnRekey yes    # If your version supports this

Then restart the sshd.

For the client side, ensure you have the following set under an appropriate "Host" section in /etc/ssh/ssh_config:

Host *
       GSSAPIAuthentication yes
       GSSAPIDelegateCredentials yes
       GSSAPIKeyExchange yes         # If your version supports this
       GSSAPIRenewalForcesRekey yes  # If your version supports this
       GSSAPITrustDns yes

The options marked "If your version supports this" are provided in many distribution shipped versions of OpenSSH. The "KeyExchange" options allow host verification via GSSAPI. The "GSSAPIStoreCredentialsOnRekey" (server option) and "GSSAPIRenewalForcesRekey" (client options) allow a Kerberos renewal to propagate down existing SSH connections.

I have also required in smb.conf:

kerberos method = secrets and keytab

and in /etc/security/pam_winbind.conf :

krb5_auth = yes
krb5_ccache_type = FILE

for the console based logins and SSH failback to password to generate a Kerberos TGT ticket (as in if the passwordless login fails due to not having a suitable ticket on the calling machine). This is essential if using things like NFSv4 with Kerberos Authentication.

To also allow Putty SSH logins to be passwordless from a Windows machine joined to the same domain as your Linux host requires a reasonably up-to-date version of Putty. Then all that needs set for a particular session are: under the Connection -> SSH -> Auth -> GSSAPI, select "Attempt GSSAPI authentication (SSH-2 only)" and "Allow GSSAPI credential delegation". And maybe under Connection -> Data , select "Use system username" if desired.

It is desirable to set "Trust this computer for delegation to any service (Kerberos only)" under the "Delegation" tab in Users and Computers for the computer objects you are SSHing into. This allows your kerberos tickets to pass to the machine you are SSHing into. Through this you can use Kerberized services on the system you have SSH'd into, for example SSHing into yet another computer without a password.

(This tutorial was provided by Colin Simpson. Thanks.)