Another geeky post.
So, I beat my head in a little getting kerberized ssh logins happening to my linux file server. I was overlooking something small, of course, but I have managed to make it go. Here’s the steps I took, which might help you if you are trying to do the same. Most of the instructions came from here.
1) On the SSH server, get a ticket for an admin with ‘kinit username/admin’. By default, OSX Server has just kadmin/admin. I didn’t know the password for it, and it was none of the passwords I used to setup the server, so rather than change it, I just added a new principle to the KDC (on the KDC, using kadmin.local) as user/admin@REALM with a password I knew. If getting a ticket on the SSH box fails, you probably forgot to, ya know, setup the machine to auth off your OSX Server.
2) Run ‘kadmin’, use your password.
3) Add a principal for your SSH box if it does not exist (ie, run a ‘listprinc’ and see if host/SSHBoxen@REALM is there). ‘addprinc -randkey host/SSHBoxen@REALM’ is your friend.
4) The key, literally, is to export to the local machine’s keytab. This is important. Run ‘ktadd -k /etc/krb5.keytab host/SSHBoxen@REALM’
5) ‘quit’, and run a ‘ktutil’. Type ‘rkt /etc/krb5.keytab’ followed by a ‘list’. You should see three entries for host/SSHBoxen@REALM. If not, you screwed up a step above
6) Provided you configured your /etc/sshd_config to allow Kerberos and GSSAPIAuthentication, you are done. Don’t forget to get a new TGT on your client first, with a ‘kinit’. You should get a password-less login to your SSH box from any box you have a TGT on!
Whew! This makes me happy 
leave a reply