kerberized ssh client configuration on Ubuntu 16.04

Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic

I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..

Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.

For enabling kerberized ssh its not working.

Below is the client configuration.

    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu

I'm able to get the kerberos ticket without any issues

$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:

Below is the ticket details

 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU

Below is the ssh configuration

 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes

Below is the ssh verbose output

  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45

Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48

yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14

@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09

@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20

|
show 1 more comment

Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic

I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..

Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.

For enabling kerberized ssh its not working.

Below is the client configuration.

    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu

I'm able to get the kerberos ticket without any issues

$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:

Below is the ticket details

 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU

Below is the ssh configuration

 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes

Below is the ssh verbose output

  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45

Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48

yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14

@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09

@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20

|
show 1 more comment

Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic

I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..

Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.

For enabling kerberized ssh its not working.

Below is the client configuration.

    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu

I'm able to get the kerberos ticket without any issues

$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:

Below is the ticket details

 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU

Below is the ssh configuration

 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes

Below is the ssh verbose output

  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic

I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..

Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.

For enabling kerberized ssh its not working.

Below is the client configuration.

    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu

I'm able to get the kerberos ticket without any issues

$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:

Below is the ticket details

 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU

Below is the ssh configuration

 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes

Below is the ssh verbose output

  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:

16.04 ssh kerberos

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

edited Mar 19 at 13:46

asked Mar 19 at 12:47

user183980

asked Mar 19 at 12:47

user183980

asked Mar 19 at 12:47

user183980

Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45

Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48

yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14

@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09

@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20

|
show 1 more comment

Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45

Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48

yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14

@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09

@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20

Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45

Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48

yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14

@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09

@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20

|
show 1 more comment

0

active

oldest

votes

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126928%2fkerberized-ssh-client-configuration-on-ubuntu-16-04%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Ask Ubuntu!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Cfxtrjtrk