OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In version 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services API. This is a programming interface that is not specific to Kerberos—it was designed to hide the peculiarities of the underlying authentication system, be it Kerberos, a public-key authentication system like SPKM, or others. The GSSAPI library included supports only Kerberos, however.
To use sshd with Kerberos authentication, edit
/etc/ssh/sshd_config
and set the following
options:
# These are for protocol version 1 # # KerberosAuthentication yes # KerberosTicketCleanup yes # These are for version 2 - better to use this GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Then restart your SSH daemon using rcsshd
restart
.
To use Kerberos authentication with protocol
version 2, enable it on the client side as well. Do this either in the
systemwide configuration file /etc/ssh/ssh_config
or
on a per-user level by editing ~/.ssh/config
. In both
cases, add the option GSSAPIAuthentication yes
.
You should now be able to connect using Kerberos
authentication. Use klist to verify that you have a valid
ticket then connect to the SSH server. To force SSH protocol version 1,
specify the -1
option on the command line.
![]() | Additional Information |
---|---|
The file
|