In the dynamic landscape of server configurations, ensuring seamless and secure connections is paramount. This blog post dives into the critical process of enabling Kerberos Authentication for multihomed servers. We’ll walk you through the steps required to add the principal that allows kerberized SSH sessions to the server, ensuring a robust and encrypted communication channel.<\/p>\n\n\n\n
If you enrolled your server to the idM domain, the host principal will be created automatically for the first interface. But what if you need to connect the server to another network and you would like to enable the kerberized connections? <\/p>\n\n\n\n
By default, this is how you would see the host on the idM:<\/p>\n\n\n\n
[root@idm01 ~]# ipa host-show samba \n
\n Host name: samba.example.net \n
\n Platform: x86_64 \n
\n Operating system: 4.18.0-348.23.1.el8_5.x86_64 \n
\n Principal name: host\/samba.example.net@EXAMPLE.NET \n
\n Principal alias: host\/samba.example.net@EXAMPLE.NET \n
\n SSH public key fingerprint: SHA256:rBsQcIz3m\/N2hT\/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa), \n
\n
SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa- \n
\n sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net \n
\n (ssh-ed25519) \n
\n Password: False \n
\n Keytab: True \n
\n Managed by: samba.example.net <\/code><\/pre>\n\n\n\nNote in the example above the Principal and the Principal alias. They have been automatically created during enrolment of the server to the idM. <\/p>\n\n\n\n
With the configuration presented above, the kerberized ssh connection should work without any issues:<\/p>\n\n\n\n
[nesiuser01@example.net@idm01 ~]$ klist \n
\nTicket cache: KCM:1737800004 \n
\nDefault principal: nesiuser01@EXAMPLE.NET \n
\n
\n
\nValid starting Expires Service principal \n
\n05\/03\/2022 06:21:53 05\/04\/2022 06:21:50 krbtgt\/EXAMPLE.NET@EXAMPLE.NET \n
\n05\/03\/2022 06:22:08 05\/04\/2022 06:21:50 cifs\/samba.example.net@EXAMPLE.NET \n
\n[nesiuser01@example.net@idm01 ~]$ ssh -k samba \n
\nRegister this system with Red Hat Insights: insights-client --register \n
\nCreate an account or view all your systems at https:\/\/red.ht\/insights-dashboard \n
\nActivate the web console with: systemctl enable --now cockpit.socket \n
\n
\n
\nLast login: Tue May 3 06:19:59 2022 \n
\n[nesiuser01@samba ~]$ <\/code><\/pre>\n\n\n\nLet\u2019s add to the configuration additional interface and see what happens. We are adding interface 192.168.1.26 and attempting to ssh with the kerberos ticket to that IP address. Obviously kerberos cannot obtain the ticket for the new interface. As the result, even if we have the kerberos ticket issued for the user, we cannot login as the interface is not knowns.<\/p>\n\n\n\n
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 \n
\n link\/ether fa:16:3e:98:c2:fa brd ff:ff:ff:ff:ff:ff \n
\n inet 192.168.1.26\/24 brd 192.168.1.255 scope global dynamic noprefixroute eth1 \n
\n valid_lft 86399sec preferred_lft 86399sec \n
\n inet6 fe80::a831:9304:4c63:865f\/64 scope link noprefixroute \n
\n valid_lft forever preferred_lft forever \n
\n[nesiuser01@samba ~]$ exit \n
\nlogout \n
\nConnection to samba closed. \n
\n[nesiuser01@example.net@idm01 ~]$ ssh -k 192.168.1.26 \n
\nThe authenticity of host '192.168.1.26 (<no hostip for proxy command>)' can't be established. \n
\nECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE. \n
\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes \n
\nWarning: Permanently added '192.168.1.26' (ECDSA) to the list of known hosts. \n
\nPassword:<\/code><\/pre>\n\n\n\nLet\u2019s fix that one step at the time. <\/p>\n\n\n\n
\n- First, we need to add the new IP address to the DNS and create both A and PTR records: <\/li>\n<\/ul>\n\n\n\n
[root@idm01 ~]# kinit admin \n
\nPassword for admin@EXAMPLE.NET: \n
\n[root@idm01 ~]# ipa dnsrecord-add example.net samba-vpn --a-rec 192.168.1.26 --a-create-reverse \n
\n Record name: samba-vpn \n
\n A record: 192.168.1.26 <\/code><\/pre>\n\n\n\nLet\u2019s verify <\/p>\n\n\n\n
[root@idm01 ~]# ipa dnsrecord-show \n
\nRecord name: samba-vpn \n
\nZone name: example.net \n
\n Record name: samba-vpn \n
\n A record: 192.168.1.26 <\/code><\/pre>\n\n\n\nIs it enough to enable the kerberized ssh? Let\u2019s try: <\/p>\n\n\n\n
[root@idm01 ~]# su - nesiuser01 \n
\nLast login: Tue May 3 20:07:33 EDT 2022 on pts\/1 \n
\n[nesiuser01@example.net@idm01 ~]$ nslookup samba-vpn \n
\nServer:\t\t127.0.0.1 \n
\nAddress:\t127.0.0.1#53 \n
\n
\n
\nName:\tsamba-vpn.example.net \n
\nAddress: 192.168.1.26 \n
\n
\n
\n[nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn \n
\nThe authenticity of host 'samba-vpn (<no hostip for proxy command>)' can't be established. \n
\nECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE. \n
\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes \n
\nWarning: Permanently added 'samba-vpn' (ECDSA) to the list of known hosts. \n
\nPassword: <\/code><\/pre>\n\n\n\nSeems it is not enough. We need to add host principal: <\/p>\n\n\n\n
[root@idm01 ~]# ipa host-add-principal samba.example.net 'host\/samba-vpn.example.net@EXAMPLE.NET' \n
\n---------------------------------------------------- \n
\nAdded new aliases to host \"samba.example.net\" \n
\n---------------------------------------------------- \n
\n Host name: samba.example.net \n
\n Principal alias: host\/samba.example.net@EXAMPLE.NET, host\/samba-vpn.example.net@EXAMPLE.NET \n
\n[root@idm01 ~]# ipa host-show samba.example.net \n
\n Host name: samba.example.net \n
\n Platform: x86_64 \n
\n Operating system: 4.18.0-348.23.1.el8_5.x86_64 \n
\n Principal name: host\/samba.example.net@EXAMPLE.NET \n
\n Principal alias: host\/samba.example.net@EXAMPLE.NET, host\/samba-vpn.example.net@EXAMPLE.NET \n
\n SSH public key fingerprint: SHA256:rBsQcIz3m\/N2hT\/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa), \n
\n
SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa- \n
\n sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net \n
\n (ssh-ed25519) \n
\n Password: False \n
\n Keytab: True \n
\n Managed by: samba.example.net <\/code><\/pre>\n\n\n\nLet\u2019s try to connect again: <\/p>\n\n\n\n
[root@idm01 ~]# su - nesiuser01 \n
\nLast login: Tue May 3 20:24:28 EDT 2022 on pts\/1 \n
\n[nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn \n
\nRegister this system with Red Hat Insights: insights-client --register \n
\nCreate an account or view all your systems at https:\/\/red.ht\/insights-dashboard \n
\nActivate the web console with: systemctl enable --now cockpit.socket \n
\n
\n
\nLast login: Tue May 3 20:07:45 2022 from 192.168.0.11 \n
\n[nesiuser01@samba ~]$ <\/code><\/pre>\n\n\n\nIt is working now. Let\u2019s investigate the kerberos tickets: <\/p>\n\n\n\n
[nesiuser01@example.net@idm01 ~]$ klist \n
\nTicket cache: KCM:1737800004 \n
\nDefault principal: nesiuser01@EXAMPLE.NET \n
\n
\n
\nValid starting Expires Service principal \n
\n05\/03\/2022 20:07:42 05\/04\/2022 06:21:50 host\/samba.example.net@EXAMPLE.NET \n
\n05\/03\/2022 06:21:53 05\/04\/2022 06:21:50 krbtgt\/EXAMPLE.NET@EXAMPLE.NET \n
\n05\/03\/2022 06:22:08 05\/04\/2022 06:21:50 cifs\/samba.example.net@EXAMPLE.NET \n
\n05\/03\/2022 20:27:08 05\/04\/2022 06:21:50 host\/samba-vpn.example.net@EXAMPLE.NET <\/code><\/pre>\n\n\n\nIn the excerpt above, we can see that a new host principal created for an additional interface is visible in the cache. <\/p>\n\n\n\n
If you have further questions or need assistance with implementing Kerberos Authentication in your environment, don’t hesitate to reach out to us. Our team at Insentra is here to support you in maximising the security and efficiency of your server infrastructure. Contact us<\/a> today to elevate your server access security to the next level. <\/p>\n\n\n\n