koszewscy/kerberos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance README with SSH server configuration instructions for Linux and Windows

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-16 15:02:52 +02:00
parent f75db61578
commit 5f06cf08c1
1 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+64
View File
@@ -255,6 +255,70 @@ kadmin.local -q "listpols"
kadmin.local -q "delpol default" kadmin.local -q "delpol default"
``` ```
## SSH server configuration
SSH uses the `host/` service principal. The FQDN must match the result of forward DNS resolution of the server's hostname, and the IP must reverse-resolve to the same FQDN.
### Linux
Create the host principal and extract the keytab to the default location:
```bash
kadmin -p admin@REALM -q "addprinc -randkey host/ssh-server.example.org@REALM"
kadmin -p admin@REALM -q "ktadd host/ssh-server.example.org@REALM"
```
The keytab is written to `/etc/krb5.keytab` (mode `0600`, owned by `root`). Add to `/etc/ssh/sshd_config`:
```
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
```
`GSSAPIStrictAcceptorCheck` verifies the server's identity against the keytab — keep it enabled. Reload sshd after the change.
**Login authorisation** — by default a principal is granted access if its realm matches `default_realm` and its name matches the local account. To grant additional principals access to an account, list them in `~/.k5login` (one principal per line):
```
alice@EXAMPLE.ORG
alice/admin@EXAMPLE.ORG
```
If `.k5login` is present it is authoritative — unlisted principals are denied even if the name matches. To make it additive rather than restrictive, set in `krb5.conf`:
```ini
[libdefaults]
k5login_authoritative = false
```
### Windows
`GSSAPIAuthentication` is available on **Windows Server 2022, 2025, Windows 10 (May 2021 Update), and Windows 11** only. Windows Server 2019 does not support it.
Install **MIT Kerberos for Windows** (KfW) on the SSH server — Windows OpenSSH uses it for GSSAPI when the machine is not domain-joined. Create the host principal and extract a keytab:
```bash
kadmin -p admin@REALM -q "addprinc -randkey host/win-server.example.org@REALM"
kadmin -p admin@REALM -q "ktadd -k /tmp/win-server.keytab host/win-server.example.org@REALM"
```
Copy the keytab to the Windows server and set `KRB5_KTNAME` in the system environment to its path, or place it at the KfW default (`%ProgramData%\MIT\Kerberos5\krb5.keytab`).
Add to `%ProgramData%\ssh\sshd_config`:
```
GSSAPIAuthentication yes
```
> The following directives are **not available** on Windows OpenSSH and must not be added: `GSSAPICleanupCredentials`, `GSSAPIStrictAcceptorCheck`, `KerberosAuthentication`, `KerberosTicketCleanup`.
Restart the `sshd` service after the change:
```powershell
Restart-Service sshd
```
## OpenLDAP SASL/GSSAPI integration ## OpenLDAP SASL/GSSAPI integration
1. Create the LDAP service principal and extract a keytab: 1. Create the LDAP service principal and extract a keytab: