KDC server: kdc.example.com
sshd server: server.example.com
ssh client: client.example.com
===================== SSH server side ===================
1. Install packages
[root@server]# yum -y install krb5-workstation[root@server]# yum -y install pam_krb5
2. Enable Kerberos authentication
# This will modify files under /etc/pam.d/
[root@server]# authconfig --enablekrb5 --update3. Add server host and user principals
[root@server]# scp kdc.example.com:/etc/krb5.conf /etc/
[root@server]# kadmin
kadmin: addprinc host/server.example.com
kdamin: ktadd -randkey host/server.example.com
[root@server]# useradd testuser # add local user
[root@server]# kadmin
kadmin: addprinc testuser # password: pass123
4. Modify /etc/ssh/sshd_config
# GSSAPI is the standard interface under which many plugins
# can be used including Kerberos.
GSSAPIAuthentication yes# If yes, sshd will look key in /etc/keytab by "gethostname()"
# If no, sshd will look any key in/etc/keytab.
# So if set to yes, make sure 'gethostname() or /usr/bin/hostname -f'
# return the exact host name saved in /etc/keytab.
GSSAPIStrictAcceptorCheck no
5. Restart sshd service
systemctl restart sshd
===================== SSH clident side ===================
===================== SSH clident side ===================
1. Install krb5-workstation
[root@client]# yum -y install krb5-workstation
2. Modify /etc/ssh/ssh_config
GSSAPIAuthentication yes
3. Test
[root@client]# kinit testuser
# enter pass: pass123
[root@client]# klist
Default principal: testuser@EXAMPLE.COM
Valid starting Expires Service principal
01/09/19 19:43:11 02/09/19 19:43:11 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@client]# ssh testuser@server.example.com
OR
[root@client]# useradd testuser
[root@client]# su - testuser
[testuser@client]# kinit
# enter pass: pass123
[testuser@client]# klist
Default principal: testuser@EXAMPLE.COM
Valid starting Expires Service principal
01/09/19 19:43:11 02/09/19 19:43:11 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[testuser@client]# ssh server.example.com
No comments:
Post a Comment