SuSE Linux (SLES) 11: SSH authentication via Kerberos (GSSAPI) with PuTTY and Windows Server 2008

After many days of trial and error, today I finally managed to automatically log on to my SuSE Linux 11 (SLES11) server with PuTTY using Kerberos authentication by a Windows Server 2008. Here are the exact steps I followed to reproduce the working configuration:

Follow the setup described in Michele’s blog: Active Directory and Apache Kerberos authentication and Putty, Active Directory and Kerberos. However, for creating the keytab file, follow my instructions below. Michele generates his keytab file with this command on the Linux server: net ads keytab add -U administrator This associates the Service Principal Name (SPN) of your Linux server with its machine account in the Active Directory. However, the machine account’s password gets reset by the Active Directory on a regular basis and when this happens, the KVNO in the Active Directory gets incremented, but this is not reflected in the Linux server’s keytab and suddenly Kerberos does not work anymore. You may get an error like this in the SSH log:

sshd[30106]: debug1: Unspecified GSS failure.  Minor code may provide more information\nKey version number for principal in key table is incorrect\n

So instead of using the machine’s account, we will use a (technical) user account specifically created for this task, that has a password which never expires. Therefore, its KVNO never changes and Kerberos will continue to work (or at least I hope so ;-)).

  1. Make sure that no account in the Active Directory has the SPN of the Linux server you want to log on to. Even delete the SPN from the Linux machine’s account itself! You can use the attribute editor (or ADSI editor) on the server. Check the SPN with this command:
    ldifde -f c:\spn_out.txt -d "<strong>DC=yourdomain,DC=com</strong>" -l *,msDS-KeyVersionNumber -r "(serviceprincipalname=HOST/<strong>yourlinuxhostname</strong>*)" -p subtree The result should show 0 entries! Otherwise you may get a message like the following in PuTTY’s event log:

    The target was not recognized (SEC_E_TARGET_UNKNOWN)
  2. Create a user account in the Active Directory that you want to associate with the Linux server, e.g. tukerberos. Set the account’s password and make sure to configure it to never expire.
  3. Associate the user account with the SPN of the Linux server with this command: ktpass -princ host/<strong>yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM</strong> -mapuser <strong>yourdomain\tukerberos</strong> -ptype KRB5_NT_PRINCIPAL -pass <strong>USERPASSWORD</strong> -crypto All -out c:\krb5.keytab
    The output should look like this:

    Targeting domain controller: dc.yourdomain.com
    Using legacy password setting method
    Successfully mapped host/yourlinuxhostname.yourdomain.com to tukerberos
    .
    Key created.
    Key created.
    Key created.
    Key created.
    Key created.
    Output keytab to c:\krb5.keytab:
    Keytab version: 0x502
    keysize 101 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x46629e67156b3b40)
    keysize 101 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x46629e67156b3b40)
    keysize 109 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0149b059adfce2da6ae4319fbcf100f0)
    keysize 125 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x9a9c4dad7b65d0b294164dce8bbd5b4b39d674741bca1ef4f1583e6a8e77313b)
    keysize 109 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0xcc466c3cd0e3828f91a60556058a29b5)

    If you run the ldifde command from above again, you should now get a result of 1 entry for tukerberos!

  4. Copy the file c:\krb5.keytab over to the Linux server as /etc/krb5.keytab.
  5. If you run klist -kte on the Linux server now, you should see 5 entries for its SPN:
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp         Principal
    ---- ----------------- --------------------------------------------------------
       3 01/01/70 01:00:00 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM (DES cbc mode with CRC-32)
       3 01/01/70 01:00:00 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM (DES cbc mode with RSA-MD5)
       3 01/01/70 01:00:00 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM (ArcFour with HMAC/md5)
       3 01/01/70 01:00:00 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
       3 01/01/70 01:00:00 host/yourlinuxhostname.yourdomain.com@YOURDOMAIN.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
  6. To make sure that no already existing tickets are used, purge your local ticket cache using kerbtray.exe on your Windows client and run the following command on your Linux server: kdestroy kinit Administrator
  7. Try logging on to your Linux server with PuTTY. It should work now 🙂

Further reading

Ăśber uns Stefan

Polyglot Clean Code Developer

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax