I want to authenticate with SSH through Kerberos SSO. Now when I'm logged in with my user principal on sourcehost
I get my Kerberos Ticket but can't use it to SSH into targethost
.
The problem seems to be the hostname. I have a host principal host/[email protected]
but no matter if I ssh targethost
or ssh targethost.example.com
it gets translated into host principal host/[email protected]
(see error message below), which doesn't exist.
I might be wrong, but I think it should be the other way around and both ssh targethost
and ssh targethost.example.com
should be translated into host principal host/[email protected]
.
Here's the error:
$ ssh targethost.example.com -v
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/[email protected] not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/[email protected] not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
...
debug1: Next authentication method: password
[email protected]'s password:
Can anybody explain how the host principal is derived from the hostname and how this can be configured (I'm on Ubuntu by the way)?
Edit:
grawity's answer led me to a solution that I think is a good one for my configuration.
- I found in Garman's Kerberos book that KDC-side canonicalization was the preferred way.
- For my LDAP-backed KDC I found in the Kerberos documentation (at the bottom of this page) the way how this can be realized.
So after creating the host principal with kdadmin.local
/ addprinc
with the FQDN I had to add an alias to the new principal entry in LDAP by running ldapmodify
with the following input:
dn: krbPrincipalName=host/[email protected],cn=EXAMPLE.COM,cn=krbContainer,dc=example,dc=com
replace: krbCanonicalName
krbCanonicalName: host/[email protected]
-
add: krbPrincipalName
krbPrincipalName: host/[email protected]