Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-24-2010, 08:07 AM   #1
LQ Newbie
Registered: Jul 2008
Posts: 6

Rep: Reputation: 0
Permitting users to ssh with out typing their passwords via kerberos?

Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.

Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 05-25-2010, 01:18 AM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Sure you can, if you have a krb5 ticket that's valid, just enabled the ssh server to accept forwarded tickets using the gssapi options in the config files and you should see it being passed along pretty easily.

Whilst kerberos is nice and tricky and all, remember that it propagates the weakest link in the security chain, one unguarded machine can expose a HUGE amount of other machines.

There are also certificate angles, but only, afaik, via patching the source, I don't think anything is part of the mainline openssh code tree. Go google that one, certainly out there.
2 members found this post helpful.
Old 05-27-2010, 02:46 PM   #3
LQ Newbie
Registered: Jul 2008
Posts: 6

Original Poster
Rep: Reputation: 0
Any links would be appreciated, I am having trouble finding how to set up GSSAPI to take advantage of this. The man page is not much help. Need a woman page, that would tell me exactly what I am doing wrong
Old 06-07-2010, 05:32 AM   #4
LQ Newbie
Registered: Jun 2010
Posts: 2

Rep: Reputation: 0

Add like this just bellow the HOST entry in /etc/ssh/ssh_config

"GSSAPIDelegateCredentials yes "

It will work..


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and SSH ceph Linux - Server 0 08-03-2009 11:28 AM
Pros and cons of permitting root SSH login benr77 Linux - Security 8 01-25-2007 12:21 AM
Permitting users to mount devices phonecian Linux - Security 3 11-06-2005 10:09 AM
Permitting a user to write to another users home directory rddreamz Linux - Newbie 4 11-19-2003 01:01 AM
expiring passwords in kerberos with AD acb67 Linux - Security 1 10-31-2003 01:22 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration