koszewscy/kerberos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance README with detailed instructions for SSH keytab creation and client connection configuration

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-16 15:18:32 +02:00
parent 5f06cf08c1
commit 946f37af52
1 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+28 -6
View File
@@ -261,14 +261,14 @@ SSH uses the `host/` service principal. The FQDN must match the result of forwar
### Linux ### Linux
Create the host principal and extract the keytab to the default location: Create the host principal and extract the keytab to the default location (run as `root` on the SSH server — the keytab is written to `/etc/krb5.keytab`, mode `0600`):
```bash ```bash
kadmin -p admin@REALM -q "addprinc -randkey host/ssh-server.example.org@REALM" sudo kadmin -p admin@REALM -q "addprinc -randkey host/ssh-server.example.org@REALM"
kadmin -p admin@REALM -q "ktadd host/ssh-server.example.org@REALM" sudo kadmin -p admin@REALM -q "ktadd host/ssh-server.example.org@REALM"
``` ```
The keytab is written to `/etc/krb5.keytab` (mode `0600`, owned by `root`). Add to `/etc/ssh/sshd_config`: Add to `/etc/ssh/sshd_config` (requires `root`):
``` ```
GSSAPIAuthentication yes GSSAPIAuthentication yes
@@ -276,7 +276,11 @@ GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes GSSAPIStrictAcceptorCheck yes
``` ```
`GSSAPIStrictAcceptorCheck` verifies the server's identity against the keytab — keep it enabled. Reload sshd after the change. `GSSAPIStrictAcceptorCheck` verifies the server's identity against the keytab — keep it enabled. Reload sshd (requires `root`):
```bash
sudo systemctl reload sshd
```
**Login authorisation** — by default a principal is granted access if its realm matches `default_realm` and its name matches the local account. To grant additional principals access to an account, list them in `~/.k5login` (one principal per line): **Login authorisation** — by default a principal is granted access if its realm matches `default_realm` and its name matches the local account. To grant additional principals access to an account, list them in `~/.k5login` (one principal per line):
@@ -292,6 +296,24 @@ If `.k5login` is present it is authoritative — unlisted principals are denied
k5login_authoritative = false k5login_authoritative = false
``` ```
### Client connection
SSH will prefer public key authentication by default even when GSSAPI is available. To enforce Kerberos:
```bash
ssh -o GSSAPIAuthentication=yes -o PreferredAuthentications=gssapi-with-mic user@ssh-server.example.org
```
To make this permanent for a host in `~/.ssh/config`:
```
Host ssh-server.example.org
GSSAPIAuthentication yes
PreferredAuthentications gssapi-with-mic
```
On Windows (KfW) and macOS the same `ssh` flags apply. macOS additionally accepts `-K` as a shorthand for `GSSAPIAuthentication=yes`.
### Windows ### Windows
`GSSAPIAuthentication` is available on **Windows Server 2022, 2025, Windows 10 (May 2021 Update), and Windows 11** only. Windows Server 2019 does not support it. `GSSAPIAuthentication` is available on **Windows Server 2022, 2025, Windows 10 (May 2021 Update), and Windows 11** only. Windows Server 2019 does not support it.
@@ -313,7 +335,7 @@ GSSAPIAuthentication yes
> The following directives are **not available** on Windows OpenSSH and must not be added: `GSSAPICleanupCredentials`, `GSSAPIStrictAcceptorCheck`, `KerberosAuthentication`, `KerberosTicketCleanup`. > The following directives are **not available** on Windows OpenSSH and must not be added: `GSSAPICleanupCredentials`, `GSSAPIStrictAcceptorCheck`, `KerberosAuthentication`, `KerberosTicketCleanup`.
Restart the `sshd` service after the change: Restart the `sshd` service after the change (requires an elevated PowerShell prompt):
```powershell ```powershell
Restart-Service sshd Restart-Service sshd