SSH

SSH Daemon Configuration
SSH Client Configuration
Mac OS Client
Mac OS Daemon

This covers Kerberos Authentication as it applies to SSH. We still allow publickey and password authentication.

Each host running an SSH server should have a private key for the host/hostname.domain@DOMAIN principle in their keytab.

At kadmin.local: prompt

addprinc -policy service -randkey host/<hostname>.domain
ktadd -k /path/to/file.keytab -norandkey host/<hostname>.domain

SSH Daemon Configuration

Listing 1: /etc/ssh/sshd_config (excerpt)

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanUpCredentials yes

SSH Client Configuration

Listing 2: /etc/ssh/ssh_config (excerpt)

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password

Mac OS Client

Apple removed patches for GSSAPI with the Sierra update (10.12). There's a patched ssh client available on homebrew. Read more at: After update Mac OS Sierra, Can not use ssh login remote system,how can I fix this?

Install homebrew openssh with GSSAPI support

brew tap rdp/homebrew-openssh-gssapi
brew install rdp/homebrew-openssh-gssapi/openssh-patched --with-gssapi-support

Mac OS Daemon

Apple's sshd still supports GSSAPI. Just enable it in the config as above, but without the GSSAPIKeyExchange line.

Since a lot of my applications come from homebrew it's useful to have a modified PATH while logged in remotely. Here we use a pattern-list to minimize security concerns, See sshd_config(5) on PermitUserEnvironment.

Allow user environment

PermitUserEnvironment PATH, LANG

Then any user's need to add a PATH environment inside ~/.ssh/environment.

SSH

Table of Contents

SSH Daemon Configuration

SSH Client Configuration

Mac OS Client

Mac OS Daemon