0

Is there a way to accomplish Kerberos authentication for some accounts and ssh-key authentication for the others in Linux? The Kerberos method is for accounts that are in Windows and Linux, whereas the key method is for Linux accounts.

Anant Raman
  • 1
  • 1

2 Answers2

2

Enable both in sshd_config. For example:

AuthenticationMethods gssapi-with-mic publickey

Lack of a group delimiting comma is important, meaning or, not and.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Does "or" mean: if an account has a Kerberos token, then it will authenticate using Kerberos; likewise, if does not have a Kerberos token, it will authenticate using ssh-keys? – Anant Raman Jan 12 '20 at 15:27
  • I think both are available, and either is sufficient. Test and see if it meets your requirements. – John Mahowald Jan 12 '20 at 19:35
0

Authentication in ssh is client-driven: the ssh client decides which authentication method to use among the available ones.

If you just want to provide users a choice between Kerberos and ssh-keys, make sure they are active:

GSSAPIAuthentication yes
GSSAPIKeyExchange no
PubkeyAuthentication yes

If GSSAPIKeyExchange is yes the server will authenticate to the client using Kerberos, not (necessarily) the host key.

If, for some reason, you want to restrict the available authentication methods to certain group of users, you can use the AuthenticationMethods directive from John's answer in a Match block:

Match Group <windows_user_group>
AuthenticationMethods gssapi-with-mic

However I don't see a valid reason to do so, since it will just prevent Windows users to log in, when the Kerberos server is down.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • I completely missed the "client" ssh configuration has the controls. Since we know which which accounts require gssapi-with-mic and which ones require ssh-keys, it is easy to configure using a configuration management tool. – Anant Raman Jan 15 '20 at 18:03
  • If the client has no Kerberos ticket, he won't even try `gssapi-with-mic` even if it is enabled in the config (I get `debug2: we did not send a packet, disable method`). I would enable both of them in the default client config and let ssh sort it through. – Piotr P. Karwasz Jan 15 '20 at 18:10