OpenSSH + Kerberos5 on FreeBSD ============================== Author: Momchil Ivanov Date : 2013.02.21 Introduction ------------ This article explains how to setup a OpenSSH server under FreeBSD using Kerberos authentication. Instructions ------------ 1. You need to install and setup Kerberos on the ssh server and the client, see [1]. 2. Create a host principal and save it on the ssh server # kinit user # kadmin kadmin> add --random-key host/server1.example.local kadmin> ext host/server1.example.local kadmin> exit # kdestroy 4. Settings for /etc/rc.conf gssd_enable="YES" 3. Settings for /etc/ssh/sshd_config KerberosAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes 4. Settings for PAM in /etc/pam.d/sshd (basically uncomment the pam_krb5.so lines): auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass 5. Settings for $HOME/.k5login user@EXAMPLE.LOCAL user2@EXAMPLE.LOCAL Client settings --------------- 1. Settings for /etc/rc.conf gssd_enable="YES" 2. Settings for $HOME/.ssh/config: Host server1.example.local User user GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PubkeyAuthentication no PasswordAuthentication no References ---------- 1: Installing Kerberos5 on FreeBSD, M. Ivanov (2013)