login about faq

How to authenticate the user through a jump server using X509v3 certificate authentication, and then how to connect from the jump host to the final destination machine using Kerberos authentication.

How to configure this kind of setup when we are switching authentication methods in the middle?

asked Feb 01 '12 at 10:35

SSH%20KB's gravatar image

SSH KB ♦
509249246237


Tectia client/server solution supports authentication to a Kerberos realm when using the authentication agent (aka agent forwarding, private keys stored on the local host). The setup makes it possible to log in to a Kerberos realm from an intermediate Tectia client/server host during a Secure Shell session.

Tectia Server's Administrator Manual has instructions regarding the setup here: Forwarding User Authentication to a Kerberos Realm

Additional clarifications to the setup can be found from below.

A picture about the setup, required components: alt text

We will have 3 different machines that we will need to configure here. The key provider socket is set up by default when you have Tectia Client and Tectia Server components installed on that intermediate host and when the agent forwarding has been enabled.

Configuration items (3x) are as follows:


1) Tectia Client configuration on the client machine (end user machine)

Enable public key authentication for X509v3, and check that Tectia Client can find your keys/certificates, and that agent forwarding has been enabled.

alt text alt text alt text



2. X509v3 + Kerberos configuration (intermediate machine)

A) Tectia Server configuration (intermediate machine)

  • You will need Tectia Server AND Tectia Client components on that intermediate machine

  • Agent forwarding must be enabled and the user must be authenticated using X509v3 certificate authentication.

  • An example /etc/ssh2/ssh-server-config.xml configuration file can be found from below. Please modify this example configuration file according to settings in your environment (you will need to modify X509v3 related settings).

  • Configure kinit script that will be run automatically upon user login:

User specific:

     $HOME/.ssh2/rc:
           /usr/kerberos/bin/kinit -f unix_domain_user3@TESTING.SSH.COM

System wide:

      If $HOME/.ssh2/rc is not available, /etc/ssh2/sshrc will be used instead.  This could be leveraged here with the following:

      if test -n "$SSH_AA_SOCK"; then
      kinit $LOGNAME@DOMAIN.COM < /dev/null
      fi

Tectia Server's configuration file would look like this:

++++++ /etc/ssh2/ssh-server-config.xml ++++++

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE secsh-server SYSTEM
"/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [
<!ENTITY configdir PUBLIC "secsh:directory(config-server)" "">
]>

<secsh-server>

<params>
<crypto-lib mode="standard" />

<!-- Replace the value of xauth-path with the path to the xauth 
     binary on your host. -->
<!-- <settings xauth-path="/usr/X11R6/bin/xauth" /> -->

     <settings 
     windows-logon-type="interactive"
     resolve-client-hostname="no"
     />

<hostkey>
   <private file="&configdir;/hostkey" />
</hostkey>

<listener id="default" port="22" />
<logging>
    <log-events facility="auth" severity="informational">
        Auth_method_success Auth_method_failure Auth_methods_completed
        Auth_methods_available Hostbased_auth_warning
        Publickey_auth_warning Publickey_auth_success GSSAPI_auth_warning
        Keyboard_interactive_pam_auth_warning
        Keyboard_interactive_radius_auth_warning
        Keyboard_interactive_password_auth_warning
        Keyboard_interactive_securid_auth_warning
        GSSAPI_auth_success
        Keyboard_interactive_pam_auth_success
        Keyboard_interactive_radius_auth_success
        Keyboard_interactive_password_auth_success
        Keyboard_interactive_securid_auth_success
    </log-events>
    <log-events facility="auth" severity="warning">
        Hostbased_auth_error Publickey_auth_error GSSAPI_auth_error
        Keyboard_interactive_pam_auth_error
        Keyboard_interactive_radius_auth_error
        Keyboard_interactive_password_auth_error
        Keyboard_interactive_securid_auth_error
    </log-events>
    <log-events facility="daemon" severity="error">
        Server_start_failed
    </log-events>
    <log-events facility="daemon" severity="notice">
        Server_listener_failed Server_listener_started
        Server_listener_stopped Server_reconfig_finished
        Server_reconfig_started Server_stopping Server_running
        Server_starting
    </log-events>
    <log-events facility="daemon" severity="warning">
    Servant_exited Servant_error
    </log-events>
    <log-events facility="normal" severity="informational">
        Algorithm_negotiation_success Certificate_validation_success
        Certificate_validation_failure Key_store_create
        Key_store_destroy Key_store_add_provider Key_store_decrypt
        Key_store_sign Key_store_sign_digest Logout Disconnect
        Channel_open_failure Session_channel_open
        Session_channel_close Forwarding_channel_open
        Forwarding_channel_open Forwarding_channel_close
        Forwarding_listener_open Forwarding_listener_close
        Auth_listener_open Auth_listener_close Auth_channel_open
        Auth_channel_close
    </log-events>
    <log-events facility="normal" severity="security-failure">
        Connection_denied Login_failure
    </log-events>
    <log-events facility="normal" severity="security-success">
        Connect Login_success
    </log-events>
    <log-events facility="normal" severity="warning">
        Algorithm_negotiation_failure KEX_failure
        Key_store_create_failed Key_store_add_provider_failed
        Key_store_decrypt_failed Key_store_sign_failed
        Key_store_sign_digest_failed
    </log-events>
</logging>

<limits max-connections="256" max-processes="40" />

<!-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
<!-- MODIFY CA CERTIFICATE INFORMATION BELOW IN THIS X509V3 CONFIGURATION EXAMPLE. -->
<!-- REMEMBER TO SET DISABLE-CLRS TO "NO" WHEN TAKING THE CONFIGURATION INTO USE -->
<!-- IN PRODUCTION ENVIRONMENTS                                                 -->
<!-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
<cert-validation>
    <ca-certificate name="myca" disable-crls="yes" file="/etc/ssh2/Root_CA.crt" />
</cert-validation>

<!-- Change pam-calls-with-commands to "yes" to enable PAM account
 management, session and credential setting calls for
 connections regardless of authentication method. -->

<pluggable-authentication-modules service-name="ssh-server-g3"
                                  pam-calls-with-commands="no" />

</params>

  <!-- Some of the ciphers, macs, or authentication methods might be
       missing depending on your architecture. -->

<connections>

<connection name="connection" action="allow" tcp-keepalive="no">

  <!-- Rekey happens every hour or after 1GB of data, which ever is
       sooner. -->
  <rekey seconds="3600" bytes="1000000000" />

  <cipher name="aes128-cbc" />
  <cipher name="aes192-cbc" />
  <cipher name="aes256-cbc" />

  <!-- AES in SDCTR mode is not available in if the crypto-lib mode
       attribute is set to FIPS. -->

  <cipher name="aes128-ctr" />
  <cipher name="aes192-ctr" />
  <cipher name="aes256-ctr" />
  <cipher name="3des-cbc" />

  <!-- The following ciphers are not available if the crypto-lib mode
       attribute is set to FIPS. -->
   <cipher name="seed-cbc@ssh.com" />

  <!-- The following cipher is only available on Windows and Linux 
       x86 platforms. -->
   <cipher name="crypticore128@ssh.com" allow-missing="yes" />

    <mac name="hmac-sha1" />
    <!-- The following MACs are not available if the crypto-lib mode
         attribute is set to FIPS. -->
    <mac name="hmac-md5" />

    <!-- The following mac is only available on Windows and Linux 
        x86 platforms. -->
    <mac name="crypticore-mac@ssh.com" allow-missing="yes" />

    <!-- The following two (group) KEX methods are not
        available if the crypto-lib mode attribute is set to FIPS. -->
    <kex name="diffie-hellman-group15-sha256@ssh.com" />
    <kex name="diffie-hellman-group15-sha384@ssh.com" />
</connection>

</connections>

<!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
<!-- MODIFY USER AUTHENTICATION/CERTIFICATE FIELD CHECKING INFORMATION BELOW IN THIS -->
<!-- X509V3 CONFIGURATION   -->
<!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->

<authentication-methods>
<authentication action="allow">
    <auth-publickey />
    <authentication action="allow">
        <selector>
            <certificate field="subject-name" pattern="C=US, ST=MA, L=Boston, O=Tectia, OU=Sales-Test, CN=%username%, MAILTO=%username%@tectia.com" />
        </selector>
    </authentication>
<authentication action="deny" />
</authentication>
</authentication-methods>

<services>

  <!-- This following passwd-change group and rule are added to the
     initial configuration ONLY IF no configuration file is present.
     This default policy will be overridden if a configuration file
     is found, in which case in order to have a policy for enforced
     password changing, you will need to add a similar policy to
     your configuration file. -->

  <group name="passwd-change">
    <selector>
        <user-password-change-needed />
    </selector>
  </group>

  <!-- This rule is used to force password change. -->
  <rule group="passwd-change">
    <terminal action="deny" />
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command application="/usr/bin/passwd" action="forced" />
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
  </rule>
  <!-- Enforced password change rule ends. -->

  <!-- By default, idle timeouts are disabled. -->
  <rule idle-timeout="0">
    <environment allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" />
    <terminal action="allow" />
    <subsystem type="sftp" application="sft-server-g3" action="allow">
        <!-- Home folder and virtual folders, Windows specific. -->
        <attribute name="home" value="%USERPROFILE%" />
        <!-- These implicit default virtual folders are only set if no
             virtual folders are set in the configuration. If you set
             ANY virtual folders, none of the following will be set. -->
        <attribute name="virtual-folder" value="C=C:\" />
        <attribute name="virtual-folder" value="D=D:\" />
        <attribute name="virtual-folder" value="E=E:\" />
        <!-- ... all available drives. -->
    </subsystem>

    <command action="allow" />

    <!-- All tunnel types are distinct and independent of each
         other. -->

<!-- Agent forwarding is enabled for all users now -->
    <tunnel-agent action="allow" />
    <tunnel-x11 action="allow" />
    <tunnel-local action="allow" />
    <tunnel-remote action="allow" />

  </rule>

 </services>

 </secsh-server>

B) Tectia Client configuration (intermediate machine)

Tectia Client component on that intermediate machine is then used to open the secondary connection to the destination server machine. You can find complete $HOME/.ssh2/ssh-broker-config.xml (or system wide location /etc/ssh2/ssh-broker-config.xml) file from below:

+++++ $HOME/.ssh2/ssh-broker-config.xml (or /etc/ssh2/ssh-broker-config.xml) +++++

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM "ssh-broker-ng-config-1.dtd">
<secsh-broker version = "1.0" >

<default-settings>
<ciphers>
  <cipher name="crypticore128@ssh.com" />
  <cipher name="aes128-cbc" />
  <cipher name="aes192-cbc" />
  <cipher name="aes256-cbc" />
  <cipher name="aes128-ctr" />
  <cipher name="aes192-ctr" />
  <cipher name="aes256-ctr" />
  <cipher name="3des-cbc" />
  <cipher name="seed-cbc@ssh.com" />
 </ciphers>

 <macs>
  <mac name="crypticore-mac@ssh.com" />
  <mac name="hmac-md5" />
  <mac name="hmac-sha1" />
  <mac name="hmac-sha256-2@ssh.com" />
  <mac name="hmac-sha512@ssh.com" />
  <mac name="hmac-sha384@ssh.com" />
  <mac name="hmac-sha224@ssh.com" />
  <!-- Backwards compatible to 4.x (uses 16-byte key). -->
  <mac name="hmac-sha256@ssh.com" />
 </macs>

 <transport-distribution num-transports="3" />

 <rekey bytes="1000000000" />

 <authentication-methods>
    <auth-gssapi />
    <auth-publickey />
    <auth-keyboard-interactive />
    <auth-password />
 </authentication-methods>

 <idle-timeout type="connection" time="5" />

 <server-banners visible="yes" />

 <forwards>
  <forward type="x11" state="off" />
  <forward type="agent" state="on" />
 </forwards>

<authentication-success-message enable="yes"/>
<sftpg3-mode compatibility-mode="tectia"/>
</default-settings>

<gui hide-tray-icon="no"
   show-exit-button="yes"
   show-admin="yes"
   enable-connector="yes"
   show-security-notification="yes" />

</secsh-broker>

C) The supplied krb5.conf is for Tectia Server (intermediate) machine:

[realms]
DOMAIN.COM = {
kdc = ad.domain.com:88
kpasswd_server = ad.domain.com:464
pkinit_kdc_hostname = ad.domain.com
pkinit_identities = PKCS11:/opt/tectia/lib/sshack.so
pkinit_anchors = FILE:/etc/krb5/ca.crt
pkinit_win2k = true
pkinit_eku_checking = kpServerAuth
pkinit_cert_match = <SAN>.*@DOMAIN.COM
forwardable = true
forward = true
}


3) Tectia Server's configuration (final destination machine, using Kerberos)

Configure Tectia Server (or your SSH server) to allow end users to be authenticated user GSSAPI/Kerberos authentication method. You can find instructions about the GSSAPI/Kerberos configuration for Tectia Server from here: User authentication using GSSAPI/Kerberos, Tectia Server configuration

In brief, in ssh-server-config.xml file you just need to enable GSSAPI:

<authentication-methods>
<authentication action="allow">
<auth-gssapi dll-path="path-to-gssapi-dll" />
...
</authentication>
</authentication-methods>


Hopefully this helps!

-- SamiM

link

answered Feb 01 '12 at 11:37

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

edited Feb 02 '12 at 14:26

How do I do the same into Windows Kerberos realm? Windows domain?

(Feb 01 '12 at 18:29) Martin Dobsik ♦ Martin%20Dobsik's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×4
×2

Asked: Feb 01 '12 at 10:35

Seen: 3,957 times

Last updated: Feb 02 '12 at 14:26

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.