Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
Likewise Automates Configuration of OpenSSH for Single Sign-On
Likewise Open and Likewise Enterprise include a next-generation authentication engine for Linux computers. Known as the Likewise Identity Service, or LWIS, it gives computers advanced capabilities for Kerberos authentication, including automatically configuring OpenSSH for Kerberos Linux single sign-on.
Although Likewise automatically configures OpenSSH to support SSO through Kerberos using GSSAPI, it is worthwhile to review how Likewise does so. Since you might need to configure other applications for SSO, understanding the SSO configuration process will make it easier to apply Linux Kerberos SSO to other applications.
Note: Not all versions of OpenSSH support Kerberos. Versions older than 4.2p1 might not work or might work improperly.
The SSH Service Principal Name
The first thing that needs to be considered is the Kerberos service principal name (SPN) that is used by SSH and SSHD. The SPN is a string that identifies the service for which an authentication ticket is to be generated. In the case of SSH, the SPN has the form:
host/<server>name@<REALMNAME>
For example, when a user uses ssh to connect to a Linux computer named fozzie.mycorp.com, the ssh program requests a service ticket for the SPN:
host/fozzie.mycorp.com@MYCORP.COM
Note:: The Kerberos realm is the computer's domain name in uppercase letters.
System Keytab Generation
In order for Microsoft Active Directory to generate a Kerberos ticket for this SPN, a service account must exist for it. Additionally, a keytab must be created for the service account and placed on the sshd server.Likewise completely automates this operation. When a Linux or Unix computer is joined to AD, a machine account is created for the computer. If the Unix or Linux computer is called fozzie, a machine account called fozzie$ is created in AD. Likewise then automatically creates a keytab for the SPN and places it in the standard system location (typically, /etc/krb5.keytab). Likewise includes a tool, lwinet, that can be used to generate additional keytab entries for other services.
User Keytab Generation
When the user runs the ssh program and OpenSSH determines that it will use Kerberos authentication, it will need to access a keytab for the user so that it can obtain a service ticket for the service/computer to which it is trying to connect. This keytab must be created using the user's account name and password. Manually, this can be performed by using the Linux/UNIX kinit utility. Likewise, however, does it automatically when the user logs on the Linux computer. On most systems, the user keytab is placed in the /tmp directory and named krb5cc_UID where UID is the numeric user ID assigned by the system.
Configuring OpenSSH
Likewise automatically configures OpenSSH at both the client and server computer. On the client, the ssh_config file (typically in /etc/ssh/ssh_config) is modified. On the server, sshd_config (typically in /etc/ssh/sshd_config) is modified. Likewise adds the following lines of code to the appropriate files if they are not already present and if they are required by the system's version of sshd:
In the server, the following lines must be present in sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
On the client, the following line must be present in ssh_config:
GSSAPIAuthentication yes
On the client, GSSAPIDelegateCredentials yes is an optional setting that instructs the ssh client to delegate the krb5 TGT to the destination Linux machine when SSH single sign-on is used.
In addition, if any of the following options are valid for the system's version of sshd, they are required and configured by Likewise:
ChallengeResponseAuthentication yes
UsePAM yes
PAMAuthenticationViaKBDInt yes
KbdInteractiveAuthentication yes
Setting these options to yes instructs SSH to use the kbdinteractive ssh authentication mechanism and allows that mechanism to use PAM -- settings that are required for Likewise to function properly.
For more information, see the man pages for ssh, sshd, and the comments in the ssh and sshd configuration files.
Testing SSO
With OpenSSH properly configured, demonstrating SSO support is simple. Log on a Linux or Unix machine (that is running Likewise) using Active Directory credentials and then use ssh to connect to another machine (also running Likewise). OpenSSH should establish a connection without prompting for a username or password.
Learn more about Likewise's solution for cross-platform single sign-on.
See more information about the Likewise Linux authentication engine.
See more information about Likewise Kerberos Linux authentication.
Next > > See a demo of Likewise Enterprise
