Sebastian Baszcyj - 07.09.202320230907

Enabling Kerberos Authentication for Multihomed servers

In the dynamic landscape of server configurations, ensuring seamless and secure connexions is paramount. This blog post dives into the critical process of enabling Kerberos Authentication for multihomed servers. We’ll walk you through the steps required to add the principal that allows kerberized SSH sessions to the server, ensuring a robust and encrypted communication channel.

If you enrolled your server to the idM domain, the host principal will be created automatically for the first interface. But what if you need to connect the server to another network and you would like to enable the kerberized connexions?

By default, this is how you would see the host on the idM:

[root@idm01 ~]# ipa host-show samba  
   Host name: samba.example.net  
   Platform: x86_64  
   Operating system: 4.18.0-348.23.1.el8_5.x86_64  
   Principal name: host/samba.example.net@EXAMPLE.NET  
   Principal alias: host/samba.example.net@EXAMPLE.NET  
   SSH public key fingerprint: SHA256:rBsQcIz3m/N2hT/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa),  
 
                              SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa-  
                               sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net  
                               (ssh-ed25519)  
   Password: False  
   Keytab: True  
   Managed by: samba.example.net

Note in the example above the Principal and the Principal alias. They have been automatically created during enrolment of the server to the idM.

With the configuration presented above, the kerberized ssh connexion should work without any issues:

[nesiuser01@example.net@idm01 ~]$ klist  
 Ticket cache: KCM:1737800004  
 Default principal: nesiuser01@EXAMPLE.NET  
 
  
 Valid starting       Expires              Service principal  
 05/03/2022 06:21:53  05/04/2022 06:21:50  krbtgt/EXAMPLE.NET@EXAMPLE.NET  
 05/03/2022 06:22:08  05/04/2022 06:21:50  cifs/samba.example.net@EXAMPLE.NET  
 [nesiuser01@example.net@idm01 ~]$ ssh -k samba  
 Register this system with Red Hat Insights: insights-client --register  
 Create an account or view all your systems at https://red.ht/insights-dashboard  
 Activate the web console with: systemctl enable --now cockpit.socket  
  
 
 Last login: Tue May  3 06:19:59 2022  
 [nesiuser01@samba ~]$

Let’s add to the configuration additional interface and see what happens. We are adding interface 192.168.1.26 and attempting to ssh with the kerberos ticket to that IP address. Obviously kerberos cannot obtain the ticket for the new interface. As the result, even if we have the kerberos ticket issued for the user, we cannot login as the interface is not knowns.

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000  
     link/ether fa:16:3e:98:c2:fa brd ff:ff:ff:ff:ff:ff  
     inet 192.168.1.26/24 brd 192.168.1.255 scope global dynamic noprefixroute eth1  
        valid_lft 86399sec preferred_lft 86399sec  
     inet6 fe80::a831:9304:4c63:865f/64 scope link noprefixroute   
        valid_lft forever preferred_lft forever  
 [nesiuser01@samba ~]$ exit  
 logout  
 Connexion to samba closed.  
 [nesiuser01@example.net@idm01 ~]$ ssh -k 192.168.1.26  
 The authenticity of host '192.168.1.26 (<no hostip for proxy command>)' can't be established.  
 ECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE.  
 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes  
 Warning: Permanently added '192.168.1.26' (ECDSA) to the list of known hosts.  
 Password:

Let’s fix that one step at the time.

First, we need to add the new IP address to the DNS and create both A and PTR records:

[root@idm01 ~]# kinit admin  
 Password for admin@EXAMPLE.NET:   
 [root@idm01 ~]# ipa dnsrecord-add example.net samba-vpn --a-rec 192.168.1.26 --a-create-reverse  
   Record name: samba-vpn  
   A record: 192.168.1.26

Let’s verify

[root@idm01 ~]# ipa dnsrecord-show  
 Record name: samba-vpn  
 Zone name: example.net  
   Record name: samba-vpn  
   A record: 192.168.1.26

Is it enough to enable the kerberized ssh? Let’s try:

[root@idm01 ~]# su - nesiuser01  
 La
st login: Tue May  3 20:07:33 EDT 2022 on pts/1  
 [nesiuser01@example.net@idm01 ~]$ nslookup samba-vpn  
 Server:		127.0.0.1  
 Address:	127.0.0.1#53  
  
 
 Name:	samba-vpn.example.net  
 Address: 192.168.1.26  
  
 
 [nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn  
 The authenticity of host 'samba-vpn (<no hostip for proxy command>)' can't be established.  
 ECDSA key fingerprint is SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE.  
 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes  
 Warning: Permanently added 'samba-vpn' (ECDSA) to the list of known hosts.  
 Password:

Seems it is not enough. We need to add host principal:

[root@idm01 ~]# ipa host-add-principal samba.example.net 'host/samba-vpn.example.net@EXAMPLE.NET'  
 ----------------------------------------------------  
 Added new aliases to host "samba.example.net"  
 ----------------------------------------------------  
   Host name: samba.example.net  
   Principal alias: host/samba.example.net@EXAMPLE.NET, host/samba-vpn.example.net@EXAMPLE.NET  
 [root@idm01 ~]# ipa host-show samba.example.net  
   Host name: samba.example.net  
   Platform: x86_64  
   Operating system: 4.18.0-348.23.1.el8_5.x86_64  
   Principal name: host/samba.example.net@EXAMPLE.NET  
   Principal alias: host/samba.example.net@EXAMPLE.NET, host/samba-vpn.example.net@EXAMPLE.NET  
   SSH public key fingerprint: SHA256:rBsQcIz3m/N2hT/MeHZWi9NNyp9qYGM8B4TB4eu8LGg root@samba.example.net (ssh-rsa),  
  
                             SHA256:5x44Ls1OPHm6WqniXwwu28lZ197yBRjdxz4soAnKUfE root@samba.example.net (ecdsa-  
                               sha2-nistp256), SHA256:Kn9S3fpTLEOunJ1V5c6JPV7+ubheTBzbTw14louFOKQ root@samba.example.net  
                               (ssh-ed25519)  
   Password: False  
   Keytab: True  
   Managed by: samba.example.net

Let’s try to connect again:

[root@idm01 ~]# su - nesiuser01  
 Last login: Tue May  3 20:24:28 EDT 2022 on pts/1  
 [nesiuser01@example.net@idm01 ~]$ ssh -k samba-vpn  
 Register this system with Red Hat Insights: insights-client --register  
 Create an account or view all your systems at https://red.ht/insights-dashboard  
 Activate the web console with: systemctl enable --now cockpit.socket  
  
 
 Last login: Tue May  3 20:07:45 2022 from 192.168.0.11  
 [nesiuser01@samba ~]$

It is working now. Let’s investigate the kerberos tickets:

[nesiuser01@example.net@idm01 ~]$ klist  
 Ticket cache: KCM:1737800004  
 Default principal: nesiuser01@EXAMPLE.NET  
 
  
 Valid starting       Expires              Service principal  
 05/03/2022 20:07:42  05/04/2022 06:21:50  host/samba.example.net@EXAMPLE.NET  
 05/03/2022 06:21:53  05/04/2022 06:21:50  krbtgt/EXAMPLE.NET@EXAMPLE.NET  
 05/03/2022 06:22:08  05/04/2022 06:21:50  cifs/samba.example.net@EXAMPLE.NET  
 05/03/2022 20:27:08  05/04/2022 06:21:50  host/samba-vpn.example.net@EXAMPLE.NET

In the excerpt above, we can see that a new host principal created for an additional interface is visible in the cache.

If you have further questions or need assistance with implementing Kerberos Authentication in your environment, don’t hesitate to reach out to us. Our team at Insentra is here to support you in maximising the security and efficiency of your server infrastructure. Contact us today to elevate your server access security to the next level.