Problem:
Your Ubuntuclients and Servers connected sucessfully to your UCS domain, but authentication on SSH via Kerberos without password does not work.
Solution
You have to export a keytab from UCS-Master for every SSH-Server, place it on the on right place, modify SSH-Server and Clienconfiguration for the right options, and Kerberos will do the job. Keytabs are generated automatically during the domain join.
If you would like to list all existing principals, you can do this on UCS-Master with this command:
univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' userPrincipalName servicePrincipalName
What i have to do?
First export you keytab via SSH-Login on your UCS Masterserver.
ssh root@dc1.tux.lan
samba-tool domain exportkeytab --principal=host/pc-peter.tux.lan@TUX.LAN /root/pc-peter-host.keytab
Copy this file on your ClientPC/Server, just where your SSh server is running. Copy it on:
/etc/krb5.keytab
Have look at the rights, these should be:
ls -l /etc/krb5.keytab
-rw------- 1 root root 377 Jan 8 17:13 /etc/krb5.keytab
Modify your SSH-Server and Client Serverconfiguration
Only one option is important for the server, two small changes must be made on the client. All other standard settings can be adopted.
SSH Serverconfig
nano /etc/ssh/sshd_config
Only this entry needs to be set here:
GSSAPIAuthentication yes
And restart the SSH-Server
systemctl restart sshd
SSH Clientconfig
nano /etc/ssh/ssh_config
And these two options
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
After these settings you can immediately connect to your Ubuntu server via SSH via Kerberos without a password. You can also connect graphically via KDE’s Dolphin. All drives that have been set with PamMount Kerberos are automatically integrated in Ubuntu via Kerberos. Really nice.