openssh Cross-realm authentication with heimdal

Let's provide some more useful content for a change.

Today I'll be documenting the setup of cross-realm authentication using Heimdal kerberos for openssh.

We already have Kerberos setup for KULEUVEN.BE and it holds the accounts of all students and personnel. What I will do is setup a local (departemental) KDC and an SSH-server that has its keytab registered in that local KDC. The idea is that a departement can add local SSH-servers as much as it wants, and it should only change it's local KDC. The authentication of users still happens against the main KULEUVEN.BE KDC.

OpenSSH supports kerberos authentication using tickets, but only from version 4.2p1 onward. This is because OpenSSH needs to be patched with the GSSAPI mechanism.
Lucky for us, Debian unstable's OpenSSH packages (openssh-server and openssh-client) are already patched this way.
Furthermore, I'll be using heimdal-kdc as the kerberos server (also in Debian).

All that is left now it configuration.

Let's start with an overview of the systems.


The client: 192.168.2.103 (dhcp-103.kulnet-l)
The SSH server: 192.168.2.200 (vmware1.kulnet-l)
The local KDC: 192.168.2.201 (vmware2.kulnet-l, realm TMPKDC.NET)
The main KDC: kdc1.kuleuven.be (realm KULEUVEN.BE)


First, let's set things up so we can use kerberos to login to the ssh server.
I created a principle [email protected] on the local KDC (kadmin -l and add u0036393)
and a host principle for the SSH server: host/vmware1.kulnet-l with a random key (kadmin -l and add --random-key host/vmware1.kulnet-l)
Now the key needs to exported to the SSH server:


kadmin -l
ext -k /tmp/bla host/vmware1.kulnet-l
scp /tmp/bla 192.168.2.200:/etc/krb5.keytab
restart SSH after that


some other things to do on the KDC:

open firewall for port 88/udp
keep clock in sync
edit /etc/krb5.conf


I edited the krb5.conf file and cleaned up a bit.
Things you need to look out for:

[libdefaults]
default_realm = TMPKDC.NET
...
[realms]
TMPKDC.NET = {
kdc=192.168.2.201
admin_server=192.168.2.201
}
...
[domain_realm]
kulnet-l = TMPKDC.NET
.kulnet-l = TMPKDC.NET
...


Copy this file to the client as well (in my case, 192.168.2.103) as /etc/krb5.conf, otherwise you'll see something like this:


(deepstar/tachyon) ~/debian$ kinit [email protected]
[email protected]'s Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm TMPKDC.NET


Let's try to get a ticket from the KDC now. First, I have to clean out my current tickets (kdestroy) so I can work cleanly.


(deepstar/tachyon) ~/debian$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]

Issued Expires Principal
May 29 15:51:13 >>>Expired<<< [email protected]
May 29 15:51:26 >>>Expired<<< [email protected]
May 29 15:51:23 >>>Expired<<< [email protected]
(deepstar/tachyon) ~/debian$ kdestroy
(deepstar/tachyon) ~/debian$ kinit [email protected]
[email protected]'s Password:
(deepstar/tachyon) ~/debian$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]

Issued Expires Principal
May 30 11:03:39 May 31 00:14:27 [email protected]
(deepstar/tachyon) ~/debian$



As you can see, it worked.

Now for logging in.

(Create the u0036393 account on the SSH-server before starting...)

Add these lines to the sshd_config of the SSH-server:


GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


Also add them to the ssh_config of the client

Something that gave me a lot of trouble before is the canonical hostname of the SSH-server.
Run /usr/sbin/sshd -de after /etc/init.d/ssh to start the SSH-server in debug mode. If you see something like this:

FIXME

Then add your hostname to /etc/hosts

127.0.0.1 vmware1.kulnet-l sshserver localhost localhost.localdomain


It's important that "vmware1.kulnet-l" is first.
"sshserver" is listed second because that is what I have in /etc/hostname. If you use different hostnames as FQDN and hostname, do this too.

check with "hostname -f" to see if it worked.

Install heimdal-clients on the SSH-server and copy the krb5.conf from the client.

If everything went ok, you can do this:

(deepstar/tachyon) ~/debian$ kdestroy
(deepstar/tachyon) ~/debian$ kinit [email protected]
[email protected]'s Password:
(deepstar/tachyon) ~/debian$ ssh [email protected]
Linux sshserver 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue May 30 14:45:38 2006 from dhcp-103.kulnet-l
[email protected]:~$ logout
Connection to vmware1.kulnet-l closed.
(deepstar/tachyon) ~/debian$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]

Issued Expires Principal
May 30 14:53:53 May 31 00:53:57 [email protected]
May 30 14:54:01 May 31 00:53:57 [email protected]
(deepstar/tachyon) ~/debian$


(To test if you can get a ticket for some principle, try kgetcred ...)

Ok, now authentication works and openssh works with a kerberos ticket.

What's left now is the cross-realm authentication.

We need to add the principle [email protected] to both our local and main KDC.
They need to have the same password.

(For some reason, after I added the principles to both KDC's, they had different kvno numbers. That stirred up trouble... So on the KDC that had kvno=0, I just changed the password and set it to the same thing. That does absolutely nothing, except increase the kvno :)


(deepstar/tachyon) ~/debian$ kdestroy
(deepstar/tachyon) ~/debian$ kinit [email protected]
[email protected]'s Password:
(deepstar/tachyon) ~/debian$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]

Issued Expires Principal
May 30 15:18:05 May 31 01:18:04 [email protected]
(deepstar/tachyon) ~/debian$ ssh [email protected]
Linux sshserver 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue May 30 15:16:36 2006 from dhcp-103.kulnet-l
[email protected]:~$ logout
Connection to vmware1.kulnet-l closed.
(deepstar/tachyon) ~/debian$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]

Issued Expires Principal
May 30 15:18:05 May 31 01:18:04 [email protected]
May 30 15:18:09 May 31 01:18:04 [email protected]
May 30 15:18:09 May 31 01:18:04 [email protected]
(deepstar/tachyon) ~/debian$


Important to note:
the krb5.conf files on the client, SSH-server and local KDC need to be aware of the local realm (TMPKDC.NET). But only the SSH-server needs to have it's default_realm set to KULEUVEN.BE