HP OpenVMS Systems Documentation

Content starts here

Setting Up a Kerberos SSH Connection

 » Table of Contents

 » Glossary

 » Index

To establish an SSH connection using Kerberos authentication, the SSH client user enters the kinit command to obtain a ticket-granting ticket (TGT).

Forwarding Credentials

Kerberos allows SSH to forward Kerberos credentials from client host to server host, obviating the need for users to re-enter their Kerberos password each time they use a Kerberized application. For example, with credentials forwarding, a user on HOSTA issues a kinit command, connects to SSH from HOSTA to HOSTB, and, once logged into HOSTB, connects to HOSTC, without ever issuing a kinit command on HOSTB. After entering the kinit command on HOSTA, the credentials follow the user to the session on HOSTB and then to the session on HOSTC.

To forward Kerberos credentials, include the -f option on the kinit command. This option indicates that a forwardable TGT is to be produced.

In addition to the presence of a forwardable TGT, the Kerberized application being used must support credentials forwarding. You can forward credentials when you are using the kerberos-tgt-2 and gssapi-with-mic authentication methods. The kerberos-2 authentication method does not support forwarding of the user's Kerberos credentials to the process on the SSH server host.

Managing Kerberos Credential Forwarding

Credentials are only forwarded from the client to the server if the GssapiDelegateCredentials client configuration parameter is set to yes. If the parameter is set to yes, the SSH client delegates credentials to the server. If it is set to no, the client does not delegate credentials. The default is no. For more information about client configuration parameters, see Appendix B.

Forwarding Kerberos Credentials Example

The following example shows how to create forwardable Kerberos credentials and use them to connect:

    !!! User issues kinit with -f to get a forwardable TGT.
    !!! In this example the Kerberos principal user name is lower case and
    !!! the realm is uppercase.
    SYSA> kinit -f "smith"
    Password for smith@SYSA.XYZ.COM:

    !!! Connect to system "sysb" forcing use of kerberos-tgt-2 authentication
    !!! method.
    SYSA> ssh -o"AllowedAuthentications kerberos-tgt-2@ssh.com" smith@sysb
    Authentication successful.

     Welcome to HP OpenVMS Industry Standard 64 Evaluation Release V8.2

    !!! We've been allowed in. A klist -f (-f for "full") shows that we have a
    !!! TGT without having issued a kinit command on SYSB.
    SYSB> klist -f
    Ticket cache: FILE:WORK10$:[SMITH.KRB.SYSB.TMP]KRB5CC_1480589921
    Default principal: smith@SYSA.XYZ.COM

    Valid starting     Expires            Service principal
    09/22/05 14:18:53  09/23/05 00:17:16  krbtgt/SYSA.XYZ.COM@SYSA.XYZ.COM
            Flags: FfT


    Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache33488912
    KRB$KLIST: You have no tickets cached

    !!! Now use ssh to connect back to sysa but this time use the simpler
    !!! kerberos-2 authentication method.
    SYSB> ssh -o"AllowedAuthentications kerberos-2@ssh.com" smith@sysa
    Authentication successful.

    UNAUTHORIZED ACCESS PROHIBITED OpenVMS AXP (TM) Operating System, Version V8.2

    !!! We have been allowed in but have no TGT created for us because we
    !!! used kerberos-2:
    SYSA> klist -f
    KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_33488912)



    Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache33488912
    KRB$KLIST: You have no tickets cached