Enhance README with SSH server configuration instructions for Linux and Windows
This commit is contained in:
@@ -255,6 +255,70 @@ kadmin.local -q "listpols"
|
||||
kadmin.local -q "delpol default"
|
||||
```
|
||||
|
||||
## SSH server configuration
|
||||
|
||||
SSH uses the `host/` service principal. The FQDN must match the result of forward DNS resolution of the server's hostname, and the IP must reverse-resolve to the same FQDN.
|
||||
|
||||
### Linux
|
||||
|
||||
Create the host principal and extract the keytab to the default location:
|
||||
|
||||
```bash
|
||||
kadmin -p admin@REALM -q "addprinc -randkey host/ssh-server.example.org@REALM"
|
||||
kadmin -p admin@REALM -q "ktadd host/ssh-server.example.org@REALM"
|
||||
```
|
||||
|
||||
The keytab is written to `/etc/krb5.keytab` (mode `0600`, owned by `root`). Add to `/etc/ssh/sshd_config`:
|
||||
|
||||
```
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials yes
|
||||
GSSAPIStrictAcceptorCheck yes
|
||||
```
|
||||
|
||||
`GSSAPIStrictAcceptorCheck` verifies the server's identity against the keytab — keep it enabled. Reload sshd after the change.
|
||||
|
||||
**Login authorisation** — by default a principal is granted access if its realm matches `default_realm` and its name matches the local account. To grant additional principals access to an account, list them in `~/.k5login` (one principal per line):
|
||||
|
||||
```
|
||||
alice@EXAMPLE.ORG
|
||||
alice/admin@EXAMPLE.ORG
|
||||
```
|
||||
|
||||
If `.k5login` is present it is authoritative — unlisted principals are denied even if the name matches. To make it additive rather than restrictive, set in `krb5.conf`:
|
||||
|
||||
```ini
|
||||
[libdefaults]
|
||||
k5login_authoritative = false
|
||||
```
|
||||
|
||||
### Windows
|
||||
|
||||
`GSSAPIAuthentication` is available on **Windows Server 2022, 2025, Windows 10 (May 2021 Update), and Windows 11** only. Windows Server 2019 does not support it.
|
||||
|
||||
Install **MIT Kerberos for Windows** (KfW) on the SSH server — Windows OpenSSH uses it for GSSAPI when the machine is not domain-joined. Create the host principal and extract a keytab:
|
||||
|
||||
```bash
|
||||
kadmin -p admin@REALM -q "addprinc -randkey host/win-server.example.org@REALM"
|
||||
kadmin -p admin@REALM -q "ktadd -k /tmp/win-server.keytab host/win-server.example.org@REALM"
|
||||
```
|
||||
|
||||
Copy the keytab to the Windows server and set `KRB5_KTNAME` in the system environment to its path, or place it at the KfW default (`%ProgramData%\MIT\Kerberos5\krb5.keytab`).
|
||||
|
||||
Add to `%ProgramData%\ssh\sshd_config`:
|
||||
|
||||
```
|
||||
GSSAPIAuthentication yes
|
||||
```
|
||||
|
||||
> The following directives are **not available** on Windows OpenSSH and must not be added: `GSSAPICleanupCredentials`, `GSSAPIStrictAcceptorCheck`, `KerberosAuthentication`, `KerberosTicketCleanup`.
|
||||
|
||||
Restart the `sshd` service after the change:
|
||||
|
||||
```powershell
|
||||
Restart-Service sshd
|
||||
```
|
||||
|
||||
## OpenLDAP SASL/GSSAPI integration
|
||||
|
||||
1. Create the LDAP service principal and extract a keytab:
|
||||
|
||||
Reference in New Issue
Block a user