kerberized ssh client configuration on Ubuntu 16.04












0















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration. 



    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues 



$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:





16.04 ssh kerberos







share|improve this question

























  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20
















0















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration. 



    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues 



$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:





16.04 ssh kerberos







share|improve this question

























  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20














0












0








0








Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration. 



    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues 



$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:





16.04 ssh kerberos







share|improve this question
















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration. 



    $grep -i  ad.ny /etc/krb5.conf 

    kdc = ad.test.edu

    admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues 



$kinit test@AD.TEST.EDU

 Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 

 Ticket cache: FILE:/tmp/krb5cc_1000

 Default principal: test@AD.TEST.EDU



   Valid starting       Expires              Service principal

   03/19/2019 16:36:05  03/20/2019 02:36:05  

 krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'

  Port 22

  Protocol 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

  HostKey /etc/ssh/ssh_host_ecdsa_key

  HostKey /etc/ssh/ssh_host_ed25519_key

  UsePrivilegeSeparation yes

  KeyRegenerationInterval 3600

  ServerKeyBits 1024

  SyslogFacility AUTH

  LogLevel INFO

  LoginGraceTime 120

  PermitRootLogin prohibit-password

  StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  IgnoreRhosts yes

  RhostsRSAAuthentication no

  HostbasedAuthentication no

  PermitEmptyPasswords no

  ChallengeResponseAuthentication no

  X11Forwarding yes

  X11DisplayOffset 10

  PrintMotd no

  PrintLastLog yes

  TCPKeepAlive yes

  AcceptEnv LANG LC_*

  Subsystem sftp /usr/lib/openssh/sftp-server

  UsePAM yes

  KerberosAuthentication yes

  KerberosTicketCleanup yes

  GSSAPIAuthentication yes

  GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23

  << .snip>

    ..

   <snip>

  debug1: Authentications that can continue: publickey,gssapi- 

  keyex,gssapi-with-mic,password

  debug1: Trying private key: /Users/test/.ssh/id_dsa

  debug1: Trying private key: /Users/test/.ssh/id_ecdsa

  debug1: Trying private key: /Users/test/.ssh/id_ed25519

  debug1: Trying private key: /Users/test/.ssh/id_xmss

  debug1: Next authentication method: password

  test/AD.TEST.EDU@192.168.115.23's password:





16.04 ssh kerberos




16.04 ssh kerberos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 19 at 13:46







user183980

















asked Mar 19 at 12:47









user183980user183980

63




63













  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20



















  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20

















Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45





Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45













Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48





Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48













yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14





yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14













@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09





@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09













@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20





@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126928%2fkerberized-ssh-client-configuration-on-ubuntu-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126928%2fkerberized-ssh-client-configuration-on-ubuntu-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

香港中文大學

Image
   提示 :本条目的主题不是 香港中文大學(深圳) 。 body.skin-minerva .mw-parser-output table.infobox caption{text-align:center} 香港中文大學 The Chinese University of Hong Kong 校训 博文約禮 [1] [2] 创建时间 1963年10月17日 学校类型 法定(公立)、研究型 監督 主權移交前:英屬香港總督 主權移交後:香港特別行政區行政長官 校董會主席 梁乃鵬博士 校長 段崇智教授 副校长 華雲生教授(常務副校長) 霍泰輝教授、吳基培教授 張妙清教授、潘偉賢教授 陳偉儀教授、吳樹培先生 教师人數 1,619 [3] 学生人數 25,489 [3] 本科生人數 20,147 [3] 研究生人數 5,342 [3] 校址   香港新界沙田馬料水沙田市地段437號(大埔公路十一至十二咪左右(正門及崇基門) 22°25′10″N 114°12′19″E  /  22.41946°N 114.205358°E  / 22.41946; 114.205358 坐标: 22°25′10″N 114°12′19″E  /  22.41946°N 114.205358°E  / 22.41946; 114.205358 科學園路與澤祥街交界(東校門) 澤祥街18號(沙田凱悅酒店及工商管理學院)) 校區 新市鎮 总面积 134.4公頃(1,344,000平方米) [2] 代表色    紫與金 [1] 吉祥物 鳳凰 [1] 隶属 英聯邦大學協會 國際商管學院促進協會(AACSB) 東南亞高等教育協會 ( 英语 : ASAIHL ) 國際大學協會 亚太高校书院联盟 八大公立大學聯盟(譯自:HK8)[3] 网站 http://www.cuhk.edu.hk/ 香港中文大學 ( 英语: The Chinese University of Hong Kong ,縮寫为 CUHK ),簡稱 中文大學 、 中大...
Read more

波音707

Image
波音707 美國電影演員约翰·特拉沃尔塔所擁有的波音707-138B(編號:N707JT),塗上該機於澳洲航空服役期間的塗裝。 類型 四发喷气中长程3-3式窄体干线民用飞行器 生產公司 波音 首次飛行 1957年12月20日 服役 1958年10月26日(泛美航空) 使用狀態 已停產,少量服役 主要用戶 泛美航空 美國航空 中華航空 其它用戶 聯合航空 生產年份 1958-1979 生產數量 1010 [1] 單位造價 430萬美元 (1955年價格) [2] 發展自 波音367-80 衍生機型 波音720 波音707 是美國波音公司在1950年代研發的首款四引擎噴气客機,載客量為140至189人,航程為2,500至5,750海里(4,630至10,650公里) [3] 。 707是波音首款噴气客機,採用後掠翼、發動機吊舱等新式設計。雖然707並非世上首款噴气客機,卻是第一款取得成功的噴气民航客機,支配了1960至1970年代的民航市場,開啟了「噴气時代」,使波音取代道格拉斯公司成為最大的民航飛機製造商之一,之後並發展出各型號7x7噴气客機,而727、737和757都是以707機身為基礎。 707是發展自波音367-80,該原型機於1954年首飛。由於機身寬度不足無法滿足客戶需要,於是把367-80的機身擴寬至148英寸。707首個型號為707-120,採用普惠JT3C發動機,在1957年12月20日首飛,首個使用707的公司是泛美航空,於1958年10月26日投入服務。之後的衍生型號有機身縮短型-138、機身延長型-320、勞斯萊斯發動機型-420。在1960年代初,由於更具燃油效益的發動機出現,波音便把新製造的707更換為新式發動機,並在原有型號加上B字以作標識。 波音707在國內、國際、貨運航線和軍事上廣泛地使用。包括720在內,波音一共交付了1,010架波音707,最後一架在1978年交付。而波音共生產了超過800架軍用型號。最後一家營運707客機的航空公司是伊朗薩哈航空,該707已在2013年停運 [4] ,目前只有少量私人机和军用改型仍在服役。 目录 1 發展 1.1 367-80 1....
Read more

How to pass a variable trough a wget command?

Image
0 I have a login and password from a website that uses vimeo to host theirs videos. I can watch the video when logged in the website, but I would like to watch them when offline. So I decided to download the video using wget. this is the code I am using: wget --user=xxx@hotmail.com --password=xxxxx https://fresnel.vimeocdn.com/add/player-stats?session-id=398f05db2ff96e3ab6bd47dc85ff22415ee5a6711552836002 And that is the answer: --2019-03-17 11:55:37-- https://fresnel.vimeocdn.com/add/player-stats?session-id=398f05db2ff96e3ab6bd47dc85ff22415ee5a6711552836002 Resolving fresnel.vimeocdn.com (fresnel.vimeocdn.com)... 199.232.38.109 Connecting to fresnel.vimeocdn.com (fresnel.vimeocdn.com)|199.232.38.109|:443... connected. HTTP request sent, awaiting response... 405 Method Not Allowed 2019-03-17 11...
Read more