In the dynamic landscape of server configurations, ensuring seamless and secure connections is paramount. This blog post dives into the critical process of enabling Kerberos Authentication for multihomed servers. We’ll walk you through the steps required to add the principal that allows kerberized SSH sessions to the server, ensuring a robust and encrypted communication channel.
If you enrolled your server to the idM domain, the host principal will be created automatically for the first interface. But what if you need to connect the server to another network and you would like to enable the kerberized connections?
By default, this is how you would see the host on the idM:
[root@idm01 ~]# ipa host-show samba
Host name: samba.example.net
Platform: x86_64
Operating system: 4.18.0-348.23.1.el8_5.x86_64
Principal name: host/samba.example.net@EXAMPLE.NET
Principal alias: host/samba.example.net@EXAMPLE.NET
SSH public key fingerprint: SHA256:rBsQcIz3m/N2hT/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa),
SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa-
sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net
(ssh-ed25519)
Password: False
Keytab: True
Managed by: samba.example.net
Note in the example above the Principal and the Principal alias. They have been automatically created during enrolment of the server to the idM.
With the configuration presented above, the kerberized ssh connection should work without any issues:
[nesiuser01@example.net@idm01 ~]$ klist
Ticket cache: KCM:1737800004
Default principal: nesiuser01@EXAMPLE.NET
Valid starting Expires Service principal
05/03/2022 06:21:53 05/04/2022 06:21:50 krbtgt/EXAMPLE.NET@EXAMPLE.NET
05/03/2022 06:22:08 05/04/2022 06:21:50 cifs/samba.example.net@EXAMPLE.NET
[nesiuser01@example.net@idm01 ~]$ ssh -k samba
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue May 3 06:19:59 2022
[nesiuser01@samba ~]$
Let’s add to the configuration additional interface and see what happens. We are adding interface 192.168.1.26 and attempting to ssh with the kerberos ticket to that IP address. Obviously kerberos cannot obtain the ticket for the new interface. As the result, even if we have the kerberos ticket issued for the user, we cannot login as the interface is not knowns.
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:98:c2:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.1.26/24 brd 192.168.1.255 scope global dynamic noprefixroute eth1
valid_lft 86399sec preferred_lft 86399sec
inet6 fe80::a831:9304:4c63:865f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[nesiuser01@samba ~]$ exit
logout
Connection to samba closed.
[nesiuser01@example.net@idm01 ~]$ ssh -k 192.168.1.26
The authenticity of host '192.168.1.26 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.26' (ECDSA) to the list of known hosts.
Password:
Let’s fix that one step at the time.
- First, we need to add the new IP address to the DNS and create both A and PTR records:
[root@idm01 ~]# kinit admin
Password for admin@EXAMPLE.NET:
[root@idm01 ~]# ipa dnsrecord-add example.net samba-vpn --a-rec 192.168.1.26 --a-create-reverse
Record name: samba-vpn
A record: 192.168.1.26
Let’s verify
[root@idm01 ~]# ipa dnsrecord-show
Record name: samba-vpn
Zone name: example.net
Record name: samba-vpn
A record: 192.168.1.26
Is it enough to enable the kerberized ssh? Let’s try:
[root@idm01 ~]# su - nesiuser01
Last login: Tue May 3 20:07:33 EDT 2022 on pts/1
[nesiuser01@example.net@idm01 ~]$ nslookup samba-vpn
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: samba-vpn.example.net
Address: 192.168.1.26
[nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn
The authenticity of host 'samba-vpn (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'samba-vpn' (ECDSA) to the list of known hosts.
Password:
Seems it is not enough. We need to add host principal:
[root@idm01 ~]# ipa host-add-principal samba.example.net 'host/samba-vpn.example.net@EXAMPLE.NET'
----------------------------------------------------
Added new aliases to host "samba.example.net"
----------------------------------------------------
Host name: samba.example.net
Principal alias: host/samba.example.net@EXAMPLE.NET, host/samba-vpn.example.net@EXAMPLE.NET
[root@idm01 ~]# ipa host-show samba.example.net
Host name: samba.example.net
Platform: x86_64
Operating system: 4.18.0-348.23.1.el8_5.x86_64
Principal name: host/samba.example.net@EXAMPLE.NET
Principal alias: host/samba.example.net@EXAMPLE.NET, host/samba-vpn.example.net@EXAMPLE.NET
SSH public key fingerprint: SHA256:rBsQcIz3m/N2hT/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa),
SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa-
sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net (ssh-ed25519) Password: False Keytab: True Managed by: samba.example.net
Let’s try to connect again:
[root@idm01 ~]# su - nesiuser01
Last login: Tue May 3 20:24:28 EDT 2022 on pts/1
[nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue May 3 20:07:45 2022 from 192.168.0.11
[nesiuser01@samba ~]$
It is working now. Let’s investigate the kerberos tickets:
[nesiuser01@example.net@idm01 ~]$ klist
Ticket cache: KCM:1737800004
Default principal: nesiuser01@EXAMPLE.NET
Valid starting Expires Service principal
05/03/2022 20:07:42 05/04/2022 06:21:50 host/samba.example.net@EXAMPLE.NET
05/03/2022 06:21:53 05/04/2022 06:21:50 krbtgt/EXAMPLE.NET@EXAMPLE.NET
05/03/2022 06:22:08 05/04/2022 06:21:50 cifs/samba.example.net@EXAMPLE.NET
05/03/2022 20:27:08 05/04/2022 06:21:50 host/samba-vpn.example.net@EXAMPLE.NET
In the excerpt above, we can see that a new host principal created for an additional interface is visible in the cache.
If you have further questions or need assistance with implementing Kerberos Authentication in your environment, don’t hesitate to reach out to us. Our team at Insentra is here to support you in maximising the security and efficiency of your server infrastructure. Contact us today to elevate your server access security to the next level.