{"id":14039,"date":"2022-09-09T03:47:48","date_gmt":"2022-09-09T03:47:48","guid":{"rendered":"https:\/\/www.insentragroup.com\/gb\/?p=14039"},"modified":"2024-12-13T02:20:51","modified_gmt":"2024-12-13T02:20:51","slug":"using-kerberos-sso-for-ssh-in-idm-with-ad-trust","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/modern-workplace\/using-kerberos-sso-for-ssh-in-idm-with-ad-trust\/","title":{"rendered":"Using Kerberos SSO for SSH in idM with AD Trust"},"content":{"rendered":"\n<p>What a tongue-twister that title is. So now we&#8217;ve gotten that out of the way, let&#8217;s move on to the more exciting stuff: How to use Kerberos SSO for SSH authentication in iDM Domain with AD Trust (a follow-on from <a href=\"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/modern-workplace\/how-to-configure-ansible-automation-saml-sso-with-red-hat-sso\/\">How to configure Ansible Automation SAML SSO with Red Hat SSO).<\/a>\u00a0<\/p>\n\n\n\n<p>Diving straight in, an SSH connection to remote servers without a password is a useful function for interactive users and is often necessary for automated activities.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>In this article I am going to run through enabling GSSAPI authentication (Generic Security Services Application Programming Interface), which is one of several options available. The concept is you authenticate on the client, which is usually your computer, and then SSH (or SFTP, SCP, SMB mount or any GSSAPI-enabled service) sends your credentials to the remote system where they are validated and then used to log you in. Depending on the software, there are two aspects which must be enabled in any client program: 1) command line options and configuration file settings, and 2) preference menu settings.<\/p>\n\n\n\n<p>The following procedures describe the configuration required to enable GSSAPI authentication:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kerberos Authentication from Linux Command Line<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Modify the SSH configuration in \/etc\/ssh\/ssh_config to enable GSSAPI:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>GSSAPIAuthentication yes\nGSSAPIDelegateCredentials yes\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Login to the machine with <a>a given<\/a> user to obtain the Kerberos ticket.<\/li><li>Verify the Kerberos ticket:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;testuser@archivemigrations.org@ssodb04 ~]$ klist\nTicket cache: KCM:794602128:21655\nDefault principal: testuser@ARCHIVEMIGRATIONS.ORG\n\nValid starting     Expires            Service principal\n05\/04\/22 10:08:44  05\/04\/22 20:08:34  krbtgt\/EXAMPLE.NET@ARCHIVEMIGRATIONS.ORG\n\trenew until 06\/04\/22 10:08:34\n05\/04\/22 10:08:34  05\/04\/22 20:08:34  krbtgt\/ARCHIVEMIGRATIONS.ORG@ARCHIVEMIGRATIONS.ORG\n\trenew until 06\/04\/22 10:08:34\n05\/04\/22 10:08:44  05\/04\/22 20:08:34  host\/ssodb03.example.net@EXAMPLE.NET\n\trenew until 06\/04\/22 10:08:34\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Login to another host using SSH \u2013K:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;testuser@archivemigrations.org@ssodb04 ~]$ ssh -K ssodb03\nLast login: Mon Apr  4 20:08:44 2022 from 172.16.156.160\n&#91;testuser@archivemigrations.org@ssodb03 ~]$ \n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Using Putty for Kerberos Authentication<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Login to a Windows machine using your credentials.<\/li><li>Open Putty and navigate to Connection \u2192 SSH \u2192 Auth \u2192 GSSAPI and configure GSSAPI (as indicated below):<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"624\" height=\"611\" src=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-10.png\" alt=\"\" class=\"wp-image-14040\" srcset=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-10.png 624w, https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-10-300x294.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Navigate to Connection \u2192 Data and select &#8216; Use system username&#8217;:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"627\" height=\"612\" src=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-11.png\" alt=\"\" class=\"wp-image-14041\" srcset=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-11.png 627w, https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-11-300x293.png 300w\" sizes=\"(max-width: 627px) 100vw, 627px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Navigate to Session and specify the server to connect to. Save the session:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"622\" height=\"612\" src=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-12.png\" alt=\"\" class=\"wp-image-14042\" srcset=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-12.png 622w, https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-12-300x295.png 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Click Open and enjoy the SSO.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Using MobaXterm for Kerberos Authentication<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Ensure you are using the latest version of MobaXterm.<\/li><li>Open MobaXterm and navigate to Settings \u2192 Configuration.<\/li><li>Select SSH tab and configure the settings as indicated below. Ensure you enter the Domain you are going to use:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"476\" src=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-13.png\" alt=\"\" class=\"wp-image-14043\" srcset=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-13.png 618w, https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-13-300x231.png 300w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Click OK.<\/li><li>Create a new connection and configure it as indicated below. Ensure the \u2018Specify username\u2019 is set to default. This indicates the system username (the username you used to login to the workstation) is going to be used:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"408\" src=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-14.png\" alt=\"\" class=\"wp-image-14044\" srcset=\"https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-14.png 621w, https:\/\/www.insentragroup.com\/gb\/wp-content\/uploads\/sites\/20\/2022\/09\/image-14-300x197.png 300w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Click OK and connect.<\/li><\/ul>\n\n\n\n<p><a>Well<\/a> this brings us to the end of my brief guide on configuring Kerberos SSO for SSH authentication in Red Hat\u2019s Identity Management with AD Trust. In my next article I\u2019ll be discussing Kerberos authentication for multihomed servers (so stay tuned!).<\/p>\n\n\n\n<p>As always, if you have any feedback or questions, we\u2019d love to hear from you, or if you\u2019re interested in learning more about <a href=\"https:\/\/www.insentragroup.com\/gb\/services\/professional-services\/\">Red Hat Identity Management<\/a> we\u2019d be more than happy to have a chat with you.<\/p>\n\n\n\n<style>\nbody .wp-block-code>code {\n    color: #000;\n    background: #ddd;\n}\n<\/style>\n","protected":false},"excerpt":{"rendered":"<p>The essential guide to using Kerberos SSO for SSH Authentication in iDM Domain with AD Trust.<\/p>\n","protected":false},"author":67,"featured_media":14045,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-14039","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/14039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=14039"}],"version-history":[{"count":5,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/14039\/revisions"}],"predecessor-version":[{"id":14076,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/14039\/revisions\/14076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/14045"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=14039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=14039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=14039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}