Problem: SSH via Kerberos from Ubuntu to Ubuntu in an UCS Environment did not work


Your Ubuntuclients and Servers connected sucessfully to your UCS domain, but authentication on SSH via Kerberos without password does not work.


You have to export a keytab from UCS-Master for every SSH-Server, place it on the on right place, modify SSH-Server and Clienconfiguration for the right options, and Kerberos will do the job. Keytabs are generated automatically during the domain join.

If you would like to list all existing principals, you can do this on UCS-Master with this command:
univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' userPrincipalName servicePrincipalName

What i have to do?

First export you keytab via SSH-Login on your UCS Masterserver.

ssh root@dc1.tux.lan
samba-tool domain exportkeytab --principal=host/pc-peter.tux.lan@TUX.LAN /root/pc-peter-host.keytab

Copy this file on your ClientPC/Server, just where your SSh server is running. Copy it on:
Have look at the rights, these should be:

ls -l /etc/krb5.keytab  
-rw------- 1 root root 377 Jan  8 17:13 /etc/krb5.keytab

Modify your SSH-Server and Client Serverconfiguration

Only one option is important for the server, two small changes must be made on the client. All other standard settings can be adopted.

SSH Serverconfig

nano /etc/ssh/sshd_config

Only this entry needs to be set here:

GSSAPIAuthentication yes

And restart the SSH-Server

systemctl restart sshd

SSH Clientconfig

nano /etc/ssh/ssh_config

And these two options

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

After these settings you can immediately connect to your Ubuntu server via SSH via Kerberos without a password. You can also connect graphically via KDE’s Dolphin. All drives that have been set with PamMount Kerberos are automatically integrated in Ubuntu via Kerberos. Really nice.

1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.