Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 677 — #703
i
i
i
i
i
i
i
i
26
Security in the Network
To use sshd with Kerberos authentication, edit /etc/ssh/sshd_config
and set the following options:
# These are for protocol version 1
KerberosAuthentication yes
KerberosTicketCleanup yes
# These are for version 2 GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart your SSH daemon using rcsshd restart.
To use Kerberos authentication with protocol version 2, enable it on the
client-side as well. Do this either in the system-wide configuration file
/etc/ssh/ssh_config or on a per-user level by editing ~/.ssh/
config. In both cases, add the option GSSAPIAuthentication yes.
You should now be able to connect using Kerberos authentication. Use
klist to verify you have a valid ticket then connect to the SSH server. To
force SSH protocol version 1, specify option -1 on the command line.
Note
Additional Information
The file /usr/share/doc/packages/openssh/README.
kerberos discusses the interaction of OpenSSH and Kerberos
in more detail.
Note
26.6.11 Using LDAP and Kerberos
When using Kerberos, one way to distribute the user information (such as
user ID, groups, home directory, etc.) in your local network is to use LDAP.
This requires a strong authentication mechanism that prevents packet
spoofing and other attacks. One solution is to use Kerberos for LDAP com-
munication, too.
OpenLDAP implements most authentication flavors through SASL, the
simple authentication session layer. SASL is basically a network pro-
tocol designed for authentication. The SASL implementation used in
SUSE LINUX is cyrus-sasl, which supports a number of different au-
thentication flavors. Kerberos authentication is performed through
GSSAPI (General Security Services API). By default, the SASL plug-
in for GSSAPI is not installed. Install it manually with rpm -ivh
cyrus-sasl-gssapi-*.rpm.
677SUSE LINUX Enterprise Server