'Kerberos Authentication through Windows Active Directory

I am trying to setup a SSH Kerberos Authentication where have the following ecosystem Windows server that hosts Active Directory Linux Server that hosts SSHD service is running Putty Client that lives on the windows server

Flow is to able to do authenticate SSH password less login from Windows client(Putty) hosted on Windows server to Linux server through AD hosted on the Windows server.

I have gone through multiple online documents but could not find a concrete explanation to the steps to configure.

Based on my understanding I did the following:

  1. Windows server -Setup active directory with RealmName: test.int -create user "sshuser" and assigned SPN " HOST/[email protected]" -create a keytab for the user like : ktpass -out C:\Users\Administrator\Desktop\Kerberos-Keytab\sshuser.keytab -princ HOST/[email protected] -mapUser [email protected] -pass xxxx -pType KRB5_NT_PRINCIPAL -Exported the keytab on linux server /etc/krb5.keytab -Configure Putty to allow Kerberos Authentication

  2. Linux server -Create user "sshuser" -modify sshd_config to allow GSSAPI Authn:


    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes

-modify krb5.conf to add default realm and domain relam to "TEST.INT"

After doing all the steps its asking for the password When I debug the logs I found the following information:


    debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
    debug1: rekey out after 134217728 blocks [preauth]
    debug1: SSH2_MSG_NEWKEYS sent [preauth]
    debug1: expecting SSH2_MSG_NEWKEYS [preauth]
    debug1: SSH2_MSG_NEWKEYS received [preauth]
    debug1: rekey in after 134217728 blocks [preauth]
    debug1: KEX done [preauth]
    debug1: userauth-request for user sshuser service ssh-connection method none [preauth]
    debug1: attempt 0 failures 0 [preauth]
    debug1: PAM: initializing for "sshuser"
    debug1: PAM: setting PAM_RHOST to "10.46.95.65"
    debug1: PAM: setting PAM_TTY to "ssh"

I think I have done the steps correctly but cannot understand why it asks for the password. Could some one tell how to configure it correctly based upon my problem statement

Adding new server logs

debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2233 on 0.0.0.0.
Server listening on 0.0.0.0 port 2233.
debug1: Bind to port 2233 on ::.
Server listening on :: port 2233.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 7 out 7 newsock 7 pipe -1 sock 10
debug1: sshd version OpenSSH_8.0, OpenSSL 1.1.1g FIPS 21 Apr 2020
debug1: private host key #0: ssh-rsa SHA256:C8qpd7+LWXIBohFQBfAlrbQYZSQjHw/MMwBpsbeLCJY
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:tA8kdX8sTmvRqnX2oMnFG1PP5gzLNph64jJpSfjD1BA
debug1: private host key #2: ssh-ed25519 SHA256:bvWL5BHAXlMKFs/Ggx5JeQJ/K+eCNBPo9uaiPP80CK8
debug1: inetd sockets after dupping: 5, 5
Connection from x.x.x.x port 56722 on x.x.x.x port 2233
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version PuTTY_Release_0.76
debug1: no match: PuTTY_Release_0.76
debug1: SELinux support enabled [preauth]
debug1: ssh_selinux_change_context: setting context from 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth]
debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 4294967296 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user testuser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "testuser"
debug1: PAM: setting PAM_RHOST to "xxxxx"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/xxxxxx@
authenticationsshactive-directorykerberos


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

VS Code / Bitbucket / SSH - Permission denied (publickey)

Jsch java ssh client is not getting disconnected after command gets executed

why password less ssh not working?

How to generate ssh keys (for github)

SSH: Connection closed by remote server

How I can directly login to rails console through ssh?

Git's famous "ERROR: Permission to .git denied to user"

Is there any way of having maven scp wagon work consistently on linux/mac/windows platform?

SSH Key - Still asking for password and passphrase

ssh-keygen - how to set an rsa key with a certain username

Forward SQL Server ODBC over SSH via putty

git pushes with wrong user from terminal

How to check if ssh-agent is already running in bash?

create jenkins ssh username with private key credential via rest xml api

ssh connect Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)