4

I am trying to figure out the SSH mechanism used while I try to ssh onto a production host. I see that the SSH client can choose among the available modes. But I'm not sure which mode is chosen and how.

The SSHServer side sshd_config is configured for:

UsePAM yes
PasswordAuthentication yes
GSSAPIAuthentication yes
KerberosAuthentication no
KerberosOrLocalPassword no

I want to know if the authentication uses kerberos or ssh_key based.

kasperd
  • 29,894
  • 16
  • 72
  • 122
broun
  • 187
  • 2
  • 2
  • 8

1 Answers1

5

You can use Kerberos authentication using the GSSAPI (Generic Security Services Application Program Interface).

To achieve this you can put these settings on your sshd_config file:

ChallengeResponseAuthentication yes
GSSAPIKeyExchange yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

To enable PAM with password access, you should have this options enabled:

UsePAM yes
PasswordAuthentication yes

Test if everything is working fine issuing a ticket for yourself and then try to connect over ssh and see if the sshd accepts your connection without any password. To do this you first need the Kerberos ticket:

kinit username@EXAMPLE.COM

Check if the ticket has been granted successfully with the klistcommand and then ssh to your server:

ssh username@server.example.com -k

If you want some debugging during the connection, just append the -v flag in the ssh command.

kasperd
  • 29,894
  • 16
  • 72
  • 122
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
  • Thanks, for SSH -v i got Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive,hostbased. And I see failures for GSS and jumped to public and then to passowrd. How is the order determined as kerberos->key->password – broun Jun 19 '14 at 02:37
  • 1
    The order is defined in the client side, with the PreferredAuthentications options in /etc/ssh/ssh_config or in user defined preferences in ~/.ssh/config – Vinícius Ferrão Jun 19 '14 at 02:42
  • Just one more thing. If you want to use precedence for logins you should seriously consider using the PAM stack and make rules. PAM rules are processed in order, so if you put Kerberos first, it will first try Kerberos authentication (with password, for TGT), then Unix, then LDAP, or whatever. But keep in mind that using PAM only passwords are accepted. – Vinícius Ferrão Jun 19 '14 at 14:56