Authenticate SSH/SFTP’s CentOS 6.3 using MS DC’s kerberos servers (Active Directory)

This is my way to authenticate SSH/SFTP on  CentOS 6.3 Entreprise using Active directory’s kerberos servers.

– Users on local host must have the exact name as users on windows AD’s.
– Kerbero’s udp/tcp ports should be openned between Centos and AD’s servers.
– All passwords for local users (CentOS) must be locked.

Be sure you can resolve the name of our Centos’s host with fully qualify domain name either from DNS or locally (/etc/hosts).

[root@centos ~]$ hostname

Check that your /etc/resolv.conf is well configured.

Locate the local users you want to authenticate using kerberos and lock theirs local passwords.
As authentication will be outside our box, all passwords on local box must be locked. To verify this:

[root@centos ~]# passwd -S localuser1
localuser1 LK 2013-02-04 0 99999 7 -1 (Password locked.)

Iptable’s firewall on CentOS must permit access to external’s  windows AD servers. In case you don’t know, disable iptables:

[root@centos ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: mangle filter   [  OK  ]
iptables: Unloading modules:                               [  OK  ]

Enable kerberos authentication on SSHD.
Change this line:

[root@centos# ] cat /etc/ssh/sshd_config|grep KerberosAuthentication
#KerberosAuthentication no


[root@centos# ]# cat /etc/ssh/sshd_config|grep KerberosAuthentication
KerberosAuthentication yes

Restart SSHD to apply changes.

[root@centos# ]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Verify you have pam_krb package installed. If not, installt it from yum.

[root@centos# ]# rpm -qa|grep pam_krb5

Configuring system authentication resources
Check option ‘Use Kerberos’ on authconfig-tui’s command. See image:

[root@centos# ]# authconfig-tui

auth-tui1 And fill all information about DC’s servers. See image:


That’s it!
Now you can log on on CentOS using your active directory’s password.

Just thanks if the post was helpful 🙂


About igalvarez

More than 20 years experiences on IT industry. 20+ years in Unix experience : IBM-AIX, HMC/SDMC/IVM, SVC, Protectier, PureFlex Systems, VIOservers, IBM Bladecenters, IBM System Power, RedHat Linux, SuSE Linux, Debian/Ubuntu Linux. Solaris, SCO Unix, Tru64 Unix, Linux Virtualization: XEN, KVM, databases sb2, oracle, postgreSQL, Find more information here:
This entry was posted in centos, kerberos, linux and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s