kerberized ssh client configuration on Ubuntu 16.04












0















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration.



    $grep -i  ad.ny /etc/krb5.conf 
kdc = ad.test.edu
admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues



$kinit test@AD.TEST.EDU
Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test@AD.TEST.EDU

Valid starting Expires Service principal
03/19/2019 16:36:05 03/20/2019 02:36:05
krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23
<< .snip>
..
<snip>
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/test/.ssh/id_dsa
debug1: Trying private key: /Users/test/.ssh/id_ecdsa
debug1: Trying private key: /Users/test/.ssh/id_ed25519
debug1: Trying private key: /Users/test/.ssh/id_xmss
debug1: Next authentication method: password
test/AD.TEST.EDU@192.168.115.23's password:









share|improve this question

























  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20
















0















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration.



    $grep -i  ad.ny /etc/krb5.conf 
kdc = ad.test.edu
admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues



$kinit test@AD.TEST.EDU
Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test@AD.TEST.EDU

Valid starting Expires Service principal
03/19/2019 16:36:05 03/20/2019 02:36:05
krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23
<< .snip>
..
<snip>
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/test/.ssh/id_dsa
debug1: Trying private key: /Users/test/.ssh/id_ecdsa
debug1: Trying private key: /Users/test/.ssh/id_ed25519
debug1: Trying private key: /Users/test/.ssh/id_xmss
debug1: Next authentication method: password
test/AD.TEST.EDU@192.168.115.23's password:









share|improve this question

























  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20














0












0








0








Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration.



    $grep -i  ad.ny /etc/krb5.conf 
kdc = ad.test.edu
admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues



$kinit test@AD.TEST.EDU
Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test@AD.TEST.EDU

Valid starting Expires Service principal
03/19/2019 16:36:05 03/20/2019 02:36:05
krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23
<< .snip>
..
<snip>
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/test/.ssh/id_dsa
debug1: Trying private key: /Users/test/.ssh/id_ecdsa
debug1: Trying private key: /Users/test/.ssh/id_ed25519
debug1: Trying private key: /Users/test/.ssh/id_xmss
debug1: Next authentication method: password
test/AD.TEST.EDU@192.168.115.23's password:









share|improve this question
















Env:- 16.04.4 LTS (Xenial Xerus)
4.13.0-36-generic



I'm following this article (https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices ) for setting up kerberised ssh. Tried with domain instead of IP, still no luck..



Also I want to enable these kerberised users needs have sudo access on the machine, so that every kerberised users will get admin prvileges. This can be achieved by adding entry in sudoers file.



For enabling kerberized ssh its not working.



Below is the client configuration.



    $grep -i  ad.ny /etc/krb5.conf 
kdc = ad.test.edu
admin_server = ad.test.edu


I'm able to get the kerberos ticket without any issues



$kinit test@AD.TEST.EDU
Password for test@AD.TEST.EDU:


Below is the ticket details



 $klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test@AD.TEST.EDU

Valid starting Expires Service principal
03/19/2019 16:36:05 03/20/2019 02:36:05
krbtgt/AD.TEST.EDU@AD.TEST.EDU


Below is the ssh configuration



 $ grep -v ^# /etc/ssh/sshd_config  | grep -v -e '^$'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Below is the ssh verbose output



  $ssh -K -v test/AD.TEST.EDU@192.168.115.23
<< .snip>
..
<snip>
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/test/.ssh/id_dsa
debug1: Trying private key: /Users/test/.ssh/id_ecdsa
debug1: Trying private key: /Users/test/.ssh/id_ed25519
debug1: Trying private key: /Users/test/.ssh/id_xmss
debug1: Next authentication method: password
test/AD.TEST.EDU@192.168.115.23's password:






16.04 ssh kerberos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 19 at 13:46







user183980

















asked Mar 19 at 12:47









user183980user183980

63




63













  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20



















  • Tried with domain name no luck. Yes the server registered to AD.

    – user183980
    Mar 19 at 13:45











  • Does the server have a keytab installed?

    – teksisto
    Mar 19 at 13:48











  • yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

    – user183980
    Mar 19 at 14:14











  • @SebastianStark tried with this directive, still no luck :(

    – user183980
    Mar 19 at 17:09











  • @SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

    – user183980
    Mar 19 at 17:20

















Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45





Tried with domain name no luck. Yes the server registered to AD.

– user183980
Mar 19 at 13:45













Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48





Does the server have a keytab installed?

– teksisto
Mar 19 at 13:48













yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14





yes keytab installed, here centos 7.x works perfectly. I'm trying to setup on Ubuntu 16.04 desktop.

– user183980
Mar 19 at 14:14













@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09





@SebastianStark tried with this directive, still no luck :(

– user183980
Mar 19 at 17:09













@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20





@SebastianStark I have one doubt, regarding the ssh format to specify the kerberos ID. In my case user=test , domain = AD.TEST.EDU hostname = test.com , so I'm hitting ssh in this format #ssh -vvv testAD.TEST.EDU@test.com . Please correct me the syntax is correct or not

– user183980
Mar 19 at 17:20










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126928%2fkerberized-ssh-client-configuration-on-ubuntu-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126928%2fkerberized-ssh-client-configuration-on-ubuntu-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

數位音樂下載

When can things happen in Etherscan, such as the picture below?

格利澤436b