How-to: Enable Passwordless Login for SSH Through SSO

Howto: Enable Passwordless Login for SSH Through SSO


UCS running in a Microsoft AD domain.
If UCS is not joined to the Microsoft AD domain it is not possible as Kerberos uses different realms in this case.

Step 1

Enable support for Kerberos authentication for ssh daemon in file /etc/ssh/sshd_config on all servers to be used for passwordless login.

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Step 2

Enable GSSAPI support in PuTTy
Connection --> ssh --> Auth --> Attempt GSSAPI auth (ssh2) = ON

Step 3

This step is only needed, when you want to hop through ssh from one server to the next without passwords.
Enable Kerberos Delegation
In AD edit the system you are using for PuTTy. Go to tab “Delegation” and set the parameter " *Trust this computer for delegation to any service (Kerberos only)* "

From now on you can go to any server through GSSAPI delegation without the need of typing passwords or having public keys in place.