20

My company has disabled SSH public key authentication, therefore I have to manually enter each time my password (I am not suppose to change /etc/ssh/sshd_config).

However gssapi-keyex and gssapi-with-mic authentications are enabled (please see below ssh debug output).

How could I use automatic login in this case?
Can I exploit gssapi-keyex and/or gssapi-with-mic authentications?

> ssh -v -o PreferredAuthentications=publickey hostxx.domainxx
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to hostxx.domainxx [11.22.33.44] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/identity type -1
debug1: identity file /home/me/.ssh/id_rsa type -1
debug1: identity file /home/me/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'hostxx.domainxx' is known and matches the RSA host key.
debug1: Found key in /home/me/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,password).
oHo
  • 1,248
  • 1
  • 12
  • 22
  • 1
    Python's fabric does a great job of dealing with ssh automation. – Dan Garthwaite Aug 30 '13 at 13:29
  • Hi @DanGarthwaite Do you use [Fabric](http://fabfile.org) to manually login to other remote servers? Please can you explain how you use it. Please provide an answer. Cheers – oHo Aug 30 '13 at 13:44
  • 4
    If you aren't in a Kerberos realm (or Active Directory domain) then GSSAPI is unlikely to be useful to you. That said, disabling public key authentication seems quite absurd. – Michael Hampton Aug 30 '13 at 14:58
  • 1
    @olibre Fabric is utility to run commands on one or more servers over SSH. These commands are usually organized in a "fabfile", like a Makefile. It does an extremely good job of making SSH disappear (once you authenticate) and handles all the many ways SSH clients and servers tend to interrupt control. A quick tutorial is available: http://docs.fabfile.org/en/1.7/tutorial.html – Dan Garthwaite Sep 10 '13 at 15:27
  • Please @DanGarthwaite, could you give an example of a `fab`file that would login to another machine (SSH gssapi without asking for a password) and open a shell? You can provide it within an answer. (In five minutes, I did not found within the tutorial how to do that). Cheers ;) – oHo Sep 10 '13 at 16:00
  • @olibre : Authentication needs to happen sometime. With fabric, the best savings you can get is to only ask you once per invocation. It will remember and retry your password across all the machines listed. – Dan Garthwaite Sep 10 '13 at 20:04

2 Answers2

26

Maybe.

  • Can you obtain a ticket for your principal on your client system either as part of the standard login process or manually (kinit, MIT Kerberos for Windows)?
  • Does the server has a kerberos principal or can you give it one? It should be of the form host/[email protected].
  • Is GSSAPI authentication enabled on your client?
  • Does your client know which realm the server belongs to either by DNS TXT resource record or local mapping?

If you said "yes" to all of the above, then congratulations, you can use GSSAPIAuthentication.

  • You may also need to enable credential delegation, depending on your setup.

Testing steps:
(Assuming: domain = example.com ; realm = EXAMPLE.COM)

  1. kinit [email protected]
    • Ideally this is handled by your standard login process by including either pam_krb5 or pam_sss (with auth_provider = krb5) in the appropriate pam stack.
  2. kvno host/[email protected]
    • This is a debugging step. ssh does this automatically if you have a valid cache and you are talking to a sshd which supports gssapi-with-mic or gssapi-keyex.
  3. dig _kerberos.example.com txt should return "EXAMPLE.COM"
    • Alternatively the mapping could be stored in the [domain_realm] section of /etc/krb5.conf as .example.com = EXAMPLE.COM, but the dns method scales much better.
  4. ssh -o GSSAPIAuthentication=yes [email protected]
    • To log into username other than that of your principal on the server will have to know to map it the details of which I'm not getting into here.
u1686_grawity
  • 4,580
  • 20
  • 27
84104
  • 451
  • 4
  • 6
  • Hi. I have given you +1 some time ago, but in fact, I do not know how to check your four points. (I am not an administrator, just a developer). Please could you provide a command line to check the SSH connection using `gssapiauthentication`? Maybe I can also use `gssapiauthentication` on my Linux machine. (should I use `kinit` for that?) Cheers ;) – oHo Sep 10 '13 at 16:07
  • Tip: Sometimes it is hard to get MIT Kerberos for Windows installed (think enterprise!). You can find `kinit.exe` in the `bin` folder of any Java installation (JRE or JDK). – kevinarpe Apr 06 '22 at 13:39
8

The 4-step method is correct (there also are Kerberos SRV records in DNS that are even more elegant and are present in every Active Directory). I use this all the time, and have been advocating this above pubkey methods for , mostly security and control-related reasons.

That said, this only gives interactive login, although it can be quasi-interactive once you've gotten a ticket on your workstation. The Kerberos ticket acts much like the SSH-agent; once you have it, new connections are instanteous and password-free; albeit with a time limit.

To get interactive batch login, you need to get a keytab file, a file that essentially contains the password for a Kerberos account, much like the private halve of a SSH key. According security precautions apply; especially since the keytab is not encrypted or protected with a password.

I'm quite reluctant to provide my users with their keytabs for their personal accounts, but am aggressively using service accounts with minimal permissions for various batch jobs, especially where it is critical that credentials are delegated to the remote system, something pubkey simply can't achieve.

Keytabs can be created using ktutil on Unix or KTPASS.EXE on Windows (the latter from AD Kerberos services). Do note that ktutil exists in two flavours, Heimdal and MIT, and their syntax differ. Reading the manpage on a relevant system helps.

mansaxel
  • 81
  • 1
  • 1