Setup Kerberos authentication with SSH

Question

I have an Ubuntu server acting as the Domain Controller (domain.local) and a Ubuntu VM (ubu1) acting as a workstation. I wanted to ssh into the ubu1 VM with Kerberose using a keytab file.

For this, I set up OpenSSH in my ubu1 VM. I enabled the following options in the /etc/ssh/sshd_config.

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes

And my PAM configuration looks like this - /etc/pam.d/common-session (I am using sssd as the client software in all this)

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session optional                        pam_mkhomedir.so
session required        pam_unix.so
session optional                        pam_sss.so
session optional        pam_systemd.so

I also added a user to the domain called user@domain.local.

samba-tool user add user Password123!

I made sure I can authenticate to the ubu1 VM using this user with the password. I can do that from the following command.

ssh DOMAIN\\user@ubu1.domain.local

Then I created a keytab file for the user with the following commands.

sudo samba-tool user setexpiry user --noexpiry
sudo samba-tool domain exportkeytab user.keytab--principal=user@DOMAIN.LOCAL

Then I transferred the keytab file to my laptop and exported it as a ticket.

kinit -kt user.keytab 'user@DOMAIN.LOCAL'

But when I try to log in using ssh with the option -K, it still asks me for the password.

This is the output of klist -kte user.keytab

Keytab name: FILE:user.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 16/01/24 16:56:08 user@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   2 16/01/24 16:56:08 user@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   2 16/01/24 16:56:08 user@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)

This is the output when I try to ssh in with the -K option

ssh -K UNINTENDED\\user@ubu1.domain.local -vv

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/kavi/.ssh/id_rsa RSA SHA256:OZgEf/sHKxJPl3YiHxT97//bPr6B7cWu2GXyDC/IySI
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/kavi/.ssh/id_ecdsa
debug1: Trying private key: /home/kavi/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kavi/.ssh/id_ed25519
debug1: Trying private key: /home/kavi/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kavi/.ssh/id_xmss
debug1: Trying private key: /home/kavi/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

When I run the SSH server with the debug mode on, I get such an output:

sudo /usr/sbin/sshd -d -e -p 22 -o LogLevel=DEBUG3

debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.2 15 Mar 2022
debug1: private host key #0: ssh-rsa SHA256:FSr38+G3yHidz7/+nvBXpSZE5haof21lk9bAOjlHoQA
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:VbS3sSjzQtMx3fnFBv+wI189MJRz/aCXlnrFf+TjBec
debug1: private host key #2: ssh-ed25519 SHA256:++SuiiJ+ZwG7d5q6fb9KqhQRx1gGhVOfGR24bbTuipg
debug1: inetd sockets after dupping: 3, 3
Connection from 10.10.10.12 port 52520 on 10.10.10.12 port 22 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 106/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
Invalid user DOMAIN from 10.10.10.12 port 52520
debug1: PAM: initializing for "DOMAIN"
debug1: PAM: setting PAM_RHOST to "10.10.10.12"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user DOMAIN//user service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: userauth-request for user DOMAIN//user service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 1 [preauth]
debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:yQXcilI+8loowqgULAvqBtQyd34WMy2kk1Y1vIW59cg [preauth]

Not sure why this happens. I have already read some other questions based on the same scenario like the following.

• Kerberos SSH Login
• SSH with Kerberos authentication

Unfortunately, nothing helped my situation. FYI I am fairly new to AD and don't have that much knowledge on how things work. So if I mentioned or did something wrong, I would really love to know. I would like to have a step-by-step process of how to set this up if my way is not the usual/standard method

Answer 1

The issue was nothing related to SSH or Kerberos, I just had to add a .k5login file to the home directory of the user trying to log in and add the SPNs of the users that should be able to log in.

echo 'user@DOMAIN.LOCAL' > /home/user@DOMAIN.LOCAL/.k5login

After that, I had to make sure I had the correct SPN added to the database, in this case, host/ubu1.domain.local.

samba-tool spn add host/ubu1.domain.local UBU1$

UBU1$ in this case is the computer account created by default when the ubu1 machine was joined to the domain.

After that, I was able to log in just fine using the ticket

ssh DOMAIN\\user@web.domain.local