The following example shows how to setup AD DS Unix computer account in order to use Kerberos (GSSAPI, to be more precise) authentication in SSH daemon.
To make it clear, Windows part of the proccess will be performed using the PowerShell 2.0:
# Import the Active Directory module
Import-Module ActiveDirectory
# (Optional) Create group for unix computer accounts administrators, add uniadmin account to the group
New-ADGroup "Unix computers accounts administrators" Global -Description "Unix computers accounts administrators" -OtherAttributes @{mail="usg@company.test"} | Add-ADGroupMember -Members unixadmin
# (Optional) Create the OU for Unix computers accounts
New-ADOrganizationalUnit -Name "Unix computers" -Description "OU for Unix computers accounts & groups" -ManagedBy "Unix computers accounts administrators" -Path 'dc=company,dc=test'
# (Optional) Create global group which will contain Unix computers accounts
New-ADGroup "Unix computers" Global -Path 'OU=Unix computers,dc=company,dc=test' -Description "Unix computers accounts" -ManagedBy "Unix computers accounts administrators"
# Create unix computer account with appropriate attributes and group membership
New-ADUser unixcomputer -UserPrincipalName "unixcomputer@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Unix computers,dc=company,dc=test' -DisplayName "unixcomputer.company.test" -Description "Used for Kerberos authentication" -Company "Company" -Department "IS&T" -Division "USG" -Country "US" -City "Raleigh" -AccountPassword (ConvertTo-SecureString -string "SomeRandomPass" -asplaintext -force) -passthru | Add-ADPrincipalGroupMembership -memberof "Unix Computers"
# Map Kerberos principal name to the user account, export keytab file
ktpass -princ host/unixcomputer.company.test@COMPANY.TEST -mapuser unixcomputer@company.test -pType KRB5_NT_PRINCIPAL +rndpass -out krb5.keytab
Import-Module ActiveDirectory
# (Optional) Create group for unix computer accounts administrators, add uniadmin account to the group
New-ADGroup "Unix computers accounts administrators" Global -Description "Unix computers accounts administrators" -OtherAttributes @{mail="usg@company.test"} | Add-ADGroupMember -Members unixadmin
# (Optional) Create the OU for Unix computers accounts
New-ADOrganizationalUnit -Name "Unix computers" -Description "OU for Unix computers accounts & groups" -ManagedBy "Unix computers accounts administrators" -Path 'dc=company,dc=test'
# (Optional) Create global group which will contain Unix computers accounts
New-ADGroup "Unix computers" Global -Path 'OU=Unix computers,dc=company,dc=test' -Description "Unix computers accounts" -ManagedBy "Unix computers accounts administrators"
# Create unix computer account with appropriate attributes and group membership
New-ADUser unixcomputer -UserPrincipalName "unixcomputer@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Unix computers,dc=company,dc=test' -DisplayName "unixcomputer.company.test" -Description "Used for Kerberos authentication" -Company "Company" -Department "IS&T" -Division "USG" -Country "US" -City "Raleigh" -AccountPassword (ConvertTo-SecureString -string "SomeRandomPass" -asplaintext -force) -passthru | Add-ADPrincipalGroupMembership -memberof "Unix Computers"
# Map Kerberos principal name to the user account, export keytab file
ktpass -princ host/unixcomputer.company.test@COMPANY.TEST -mapuser unixcomputer@company.test -pType KRB5_NT_PRINCIPAL +rndpass -out krb5.keytab
Verify SPN is created:
setspn -Q host/unixcomputer.company.test
Checking domain DC=company,DC=test
CN=unixcomputer,OU=Unix computers,DC=company,DC=test
host/unixcomputer.company.test
Existing SPN found!
Securely copy generated keytab to the Unix computer.
Now the Unix counterpart of the process.
On OpenBSD copy the contents of krb5.keytab generated on Windows machine to /etc/kerberosV/krb5.keytab:
# ktutil copy ./krb5.keytab /etc/kerberosV/krb5.keytab
Verify keytab entry is added:
# ktutil list
FILE:/etc/kerberosV/krb5.keytab: Vno Type Principal 3 arcfour-hmac-md5 host/unixcomputer.company.test@COMPANY.TEST
Verify Kerberos:
$ kinit
user@COMPANY.TEST's Password:
$ klist
user@COMPANY.TEST's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user@COMPANY.TEST
Issued Expires Principal
Nov 3 18:13:24 Nov 4 04:13:24 krbtgt/COMPANY.TEST@COMPANY.TEST
Configure sshd to use GSSAPI authentication:
# cf=/etc/ssh/sshd_config && mv $cf $cf.old && sed 's/.*GSSAPIAuthentication.*/GSSAPIAuthentication yes/' $cf.old > $cf && kill -HUP `cat /var/run/sshd
On FreeBSD copy the contents of krb5.keytab generated on Windows machine to to /etc/krb5.keytab:
# ktutil copy ./krb5.keytab /etc/krb5.keytab
Verify keytab entry is added:
# ktutil list
FILE:/etc/krb5.keytab: Vno Type Principal 3 arcfour-hmac-md5 host/unixcomputer.company.test@COMPANY.TEST ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No such file or directory
Verify Kerberos:
$ kinit
user@COMPANY.TEST's Password:
$ klist
user@COMPANY.TEST's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user@COMPANY.TEST
Issued Expires Principal
Nov 3 18:31:57 Nov 4 04:31:57 krbtgt/COMPANY.TEST@COMPANY.TEST
Configure sshd to use GSSAPI authentication:
# sed -i .bak 's/.*GSSAPIAuthentication.*/GSSAPIAuthentication yes/' /etc/ssh/sshd_config && kill -HUP `cat /var/run/sshd.pid` && rm /etc/ssh/sshd_config.bak
On Solaris copy the contents of krb5.keytab generated on Windows machine to to /etc/krb5/krb5.keytab:
# ktutil
ktutil: rkt ./krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 5 host/unixcomputer.company.test@COMPANY.TEST ktutil: wkt /etc/krb5/krb5.keytab ktutil: clear ktutil: rkt /etc/krb5/krb5.keytab slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 5 host/unixcomputer.company.test@COMPANY.TEST ktutil: exit
Verify Kerberos:
$ kinit
Password for user@COMPANY.TEST:
$ klist
Password for user@COMPANY.TEST:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user@COMPANY.TEST
Valid starting Expires Service principal
11/03/10 18:33:11 11/04/10 04:33:12 krbtgt/COMPANY.TEST@COMPANY.TEST
renew until 11/10/10 18:33:11
Solaris sshd supports GSSAPI authentication by default.
GSSAPI-supporting Windows SSH Client
I'm using the latest development snapshot of PuTTY.
Troubleshooting
Normally, if Windows AD DS set up properly, Kerberos authentication of Unix user accounts against Windows AD DS should work right out of the box, i.e. default AD DS installation, default Unix settings no matter what flavor of Unix/Kerberos is used.
Typical problems (in ascending order of complexity):
1. Clock skew. Keep computer clock synchronized with a reliable source (NTP).
2. Kerberos encryption types. Make sure the keytab entry for the Unix host uses arcfour-hmac-md5 encryption type.
3. DNS records. SRV RRs used by Kerberos are registered by Net Logon service on domain controllers. Check if records are registered, check if the Unix resolver functions properly and points to the right DNS servers.
Tip. Run sshd in debug mode on port 2022: sshd -ddd -p 2022.
No comments:
Post a Comment