Kerberized SSH on Mac OS X v10.5 Server

Posted on

This week I have been teaching the Advanced Systems Administration class for Mac OS X 10.5, and we talked about security and secure access.  As usual, I mentioned the security necessity for SSH authentication when accessing the server through the Command Line remotely, and how to set up public and private keys for authentication.  But there is an inherent flaw with the public and private key:  if someone manages to gain access to your computer and copy your private key, they have a non-authenticated method of accessing your system.  Also, if someone leaves the company and shouldn't have access to the server anymore, you need to remove their public key manually instead of just removing access through your Directory.So you have the following problem:  You need a login method that will allow you to SSH into the boxes you need access to without a password, but have some type of Directory-based key system that is secure, temporary, and key-based.  Enter Kerberos.  Kerberized SSH is not at all anything new, and I found a lot of Linux instructions on how to get it set up with Kerberos.  But I was hard-pressed to find a Mac OS X v10.5 Server instruction, and as such decided to write my own.  Hopefully this will be o some use for someone out there. Now, this assumes that you have Kerberos running, and the Mac OS X Server is either an Open Directory Master, Open Directory Replica, or Connected to a Directory System and kerberized.  The server itself will need to provide authentication through Kerberos for this to work.  You also need to make some minor changes to your .ssh directory in your Home Folder, and have your client bound to the directory.What we are going to do is install the Kerberos module for PAM authentication on the Mac OS X Server, configure the sshd PAM authentication rules for Kerberos, and then on the client side enable GSSAPI authentication.  It's as simple as that.  ^_^
  1. Download the pam_krb5 library from SourceForge.  This is the PAM authentication library necessary for Kerberos 5 to work in a PAM enabled service.  
  2. Extract and Compile:  I extracted the file in my Downloads directory and then compiled it right there.  Be sure you have Xcode installed, because you will need gcc.  I compiled it on a local machine and then copied the library to my server.  Once you run ./configure and get it to pass, just run make.  The library will be placed in the .lib directory (which is hidden).  You can then copy the pam_krb5.so file to the necessary spot or to a jump drive to drop on your server.  
  3. Place the pam_krb5.so module into the /usr/lib/pam/ directory on the server.  SSH gets its authentication information through PAM, so having the library here is crucial. 
  4. Edit the /etc/pam.d/sshd configuration file to look like the following:#sshd: auth account password sessionauth    required    pam_nologin.soauth    optional    pam_afpmount.soauth    sufficient    pam_securityserver.soauth    sufficient    pam_krb5.soauth    sufficient    pam_unix.soauth    required    pam_deny.soaccount    required    pam_securityserer.sopassword    required    pam_deny.sosession    required    pam_launchd.sosession    sufficient    pam_krb5.sosession    optional    pam_afpmount.so
  5. On your Mac OS X computer, create (if you don't have one already) a config file in your ~/.ssh/ directory with the following command: GSSAPIAuthentication yes
And that's it!  You can now log into any kerberized server using SSH, not need a password, or even build a public-private key structure.