[Samba] OpenSSH with Kerberos?
Rowland Penny
rpenny at samba.org
Fri Oct 22 19:24:03 UTC 2021
On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote:
> Hello,
>
> I am trying to get OpenSSH to work with Kerberos, but am failing. I
> followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> I still need to provide a password (the AD password does work!)
> instead of achieving single-sign-on. I did follow the recommended
> auth_to_local mapping.
>
I cannot ssh with kerberos from a Samba AD DC, but I can ssh with
kerberos to a Samba AD DC.
The ssh client (devstation) has this in /etc/ssh/ssh_config
Host *
PasswordAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
The ssh server (rpidc2) has this in /etc/ssh/sshd_config
There is just this in /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
This all leads to this:
rowland at devstation:~$ ssh -K rpidc2.samdom.example.com
Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l
The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 22 19:35:10 2021 from 192.168.0.49
SAMDOM\rowland at rpidc2:~$
Hope this helps.
Rowland
More information about the samba
mailing list