Lab 2 - SSH and Other Login Methods

The second lab teaches how to configure SSH and PAM to get tickets on login and to log in directly with a Kerberos Ticket.

Set up SSH for Kerberos Login

For this part your computer must have a system keytab with a real service principal such as host/workshop00.inf.ethz.ch. Run the following command to 'join' the computer as computer object to the AD:

# wget https://install.inf.ethz.ch/join/workshop -O /etc/krb5.keytab

Verify that you have a valid keytab by running the following commands as root:

# klist -ke
# kinit -k
# kinit -k {name of the system}$
# kdestroy

You should see a keytab and obtain a ticket.

Questions

  • How many entries does the keytab file have? Why? Answer
    There are nine entries fro three principals and three encryption types each. One is the user principal (hostname plus a $), the other two are service principals.
  • Why did the first kinit -k fail? Answer
    It tried to get a TGT for host@{FQHN}@D.ETHZ.CH but this is a service principal. TGTs are only issued for user principals.

Now follow the instructions here to configure sshd.

Log in to optimus.inf.ethz.ch or maximus.inf.ethz.ch with your ETH user name. From there log in to your test system with you ETH user name. The second login will not ask for a password.

Your test system is now correctly set up for Kerberos login via SSH.

Set up PAM

Follow the instructions here to set up PAM on your system.

Set up Ticket Renewal

Log in to your test system with your ETH user name. Follow the instructions in the section'SSH' of this topic to configure the account for SSH ticket renewal.

Log out and log in again. Verify that krenew is now running:

$ ps -elf | grep krenew


Page URL: https://www.isg.inf.ethz.ch/bin/view/Main/AboutUsActivitiesWorkshopsKerberosLab2
2019-09-18
© 2019 Eidgenössische Technische Hochschule Zürich