Ssh Kerberos


Once creating that principal for SSH service, I used the ktadd -k command to add the keytab file (to be clear, SSH server and Kerberos server are on the same machine) located at /etc/krb5.keytab. The output of sudo klist -ke /etc/krb5.keytab is. Native Kerberos Authentication with SSH - Scott's Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking Native Kerberos Authentication with SSH Published on 21 Aug 2006 Filed in Tutorial 548 words (estimated 3 minutes to read). Suppose your Kerberos tickets allow you to log into a host in another domain, such as, which is also in another Kerberos realm, EXAMPLE.COM. If you ssh to this host, you will receive a ticket-granting ticket for the realm EXAMPLE.COM, plus the new host ticket for Klist will now show. Kerberos authentication as denied for kerberos-name The server received a negative result from Kerberos authentication module for logging in as the specified user. Facility: SSHLOGFACILITYAUTH. Level: SSHLOGNOTICE. Login accepted for user. Kerberos authentication as user%.100s accepted for%.100s. Then we need to take the keytab file into which you extracted the key for the host principal and copy it to the location on the ssh server where sshd will look for it, probably /etc/krb5.keytab. We need to configure sshdconfig(5).

Machines that are configured to use Kerberos for authentication are also configured to use kerberos authentication (GSS API) and delegation for outgoing SSH connections to other MCECS machines by default. This means that if you are physically logged into a workstation machine and you SSH to another computer you won’t have to enter your password again and your kerberos ticket will “follow” you to the computer you SSH’d into.

Ssh Kerberos Hospital

SSH To Machines That use Kerberos Authentication Using SSH Keys Won’t Work

Key-based authentication to machines that use Kerberos for authentication and for protecting NFS traffic either won’t work at all,or will work in unreliable and unpredictable ways. This is because your SSH public key resides in your home directory which is not available until you have a valid Kerberos ticket. It’s best to assume that it won’t work at all and use GSS API authentication to get authenticate to workstations and other Kerberos protected computers.


SSH From Machines That Don’t Use Kerberos Authentication

Ssh Kerberos Program

If a Linux computer doesn’t use Kerberos for authentication, and you are manually initializing a Kerberos ticket, and you want to ssh using GSSAPI (Kerberos) to get to workstation machines you might want to add something like the following to your ~/.ssh/config file:

Ssh Kerberos Authentication


Ssh Kerberos Gssapi

This will specify that you want to try using GSSAPI authentication and delegation when SSHing to any other PSU computers.