[Samba] OpenSSH with Kerberos?

Rowland Penny rpenny at samba.org
Fri Oct 22 19:24:03 UTC 2021

On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote:
> Hello,
> I am trying to get OpenSSH to work with Kerberos, but am failing. I
> followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> I still need to provide a password (the AD password does work!)
> instead of achieving single-sign-on. I did follow the recommended
> auth_to_local mapping.

I cannot ssh with kerberos from a Samba AD DC, but I can ssh with
kerberos to a Samba AD DC.

The ssh client (devstation) has this in /etc/ssh/ssh_config

Host *
   PasswordAuthentication no
   SendEnv LANG LC_*
   HashKnownHosts yes
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIRenewalForcesRekey yes
   GSSAPITrustDns yes
Host *.samdom.example.com
   # It's best to limit this option to only trusted hosts:
   GSSAPIDelegateCredentials yes

The ssh server (rpidc2) has this in /etc/ssh/sshd_config

There is just this in /etc/krb5.conf

    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

This all leads to this:

rowland at devstation:~$ ssh -K rpidc2.samdom.example.com
Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l

The programs included with the Debian GNU/Linux system are free
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 22 19:35:10 2021 from
SAMDOM\rowland at rpidc2:~$

Hope this helps.


More information about the samba mailing list