Authenticate SSH/SFTP’s CentOS 6.3 using MS DC’s kerberos servers (Active Directory)

This is my way to authenticate SSH/SFTP on  CentOS 6.3 Entreprise using Active directory’s kerberos servers.

Requisites:
– Users on local host must have the exact name as users on windows AD’s.
– Kerbero’s udp/tcp ports should be openned between Centos and AD’s servers.
– All passwords for local users (CentOS) must be locked.

Be sure you can resolve the name of our Centos’s host with fully qualify domain name either from DNS or locally (/etc/hosts).

[root@centos ~]$ hostname
hostname.fully.qualify.name

Check that your /etc/resolv.conf is well configured.

Locate the local users you want to authenticate using kerberos and lock theirs local passwords.
As authentication will be outside our box, all passwords on local box must be locked. To verify this:

[root@centos ~]# passwd -S localuser1
localuser1 LK 2013-02-04 0 99999 7 -1 (Password locked.)

Iptable’s firewall on CentOS must permit access to external’s  windows AD servers. In case you don’t know, disable iptables:

[root@centos ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: mangle filter   [  OK  ]
iptables: Unloading modules:                               [  OK  ]

Enable kerberos authentication on SSHD.
Change this line:

[root@centos# ] cat /etc/ssh/sshd_config|grep KerberosAuthentication
#KerberosAuthentication no

to:

[root@centos# ]# cat /etc/ssh/sshd_config|grep KerberosAuthentication
KerberosAuthentication yes

Restart SSHD to apply changes.

[root@centos# ]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Verify you have pam_krb package installed. If not, installt it from yum.

[root@centos# ]# rpm -qa|grep pam_krb5
pam_krb5-2.3.11-9.el6.i686

Configuring system authentication resources
Check option ‘Use Kerberos’ on authconfig-tui’s command. See image:

[root@centos# ]# authconfig-tui

auth-tui1 And fill all information about DC’s servers. See image:

auth-tui2

That’s it!
Now you can log on on CentOS using your active directory’s password.

Just thanks if the post was helpful 🙂

Advertisements

About igalvarez

More than 20 years experiences on IT industry. 20+ years in Unix experience : IBM-AIX, HMC/SDMC/IVM, SVC, Protectier, PureFlex Systems, VIOservers, IBM Bladecenters, IBM System Power, RedHat Linux, SuSE Linux, Debian/Ubuntu Linux. Solaris, SCO Unix, Tru64 Unix, Linux Virtualization: XEN, KVM, databases sb2, oracle, postgreSQL, Find more information here: http://en.gravatar.com/igalvarez
This entry was posted in centos, kerberos, linux and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s