环境:-16.04.4 LTS(Xenial Xerus)4.13.0-36-generic
我正在关注这篇文章(https://wiki.ubuntu.com/Enterprise/Authentication/KerberosServices) 设置 Kerberised ssh。尝试使用域名而不是 IP,仍然没有成功。
另外,我想让这些使用 Kerberos 的用户在机器上拥有 sudo 访问权限,这样每个使用 Kerberos 的用户都会获得管理员权限。这可以通过在 sudoers 文件中添加条目来实现。
启用 Kerberized ssh 后,它不起作用。
以下是客户端配置。
$grep -i ad.ny /etc/krb5.conf
kdc = ad.test.edu
admin_server = ad.test.edu
我可以毫无问题地获得 Kerberos 票证
$kinit [email protected]
Password for [email protected]:
以下是门票详情
$klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
03/19/2019 16:36:05 03/20/2019 02:36:05
krbtgt/[email protected]
以下是 ssh 配置
$ grep -v ^# /etc/ssh/sshd_config | grep -v -e '^$'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
以下是 ssh 详细输出
$ssh -K -v test/[email protected]
<< .snip>
..
<snip>
debug1: Authentications that can continue: publickey,gssapi-
keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/test/.ssh/id_dsa
debug1: Trying private key: /Users/test/.ssh/id_ecdsa
debug1: Trying private key: /Users/test/.ssh/id_ed25519
debug1: Trying private key: /Users/test/.ssh/id_xmss
debug1: Next authentication method: password
test/[email protected]'s password: