Kerberos authentication via SSH does not work

Hi Guys,

a topic that I’ve been dragging along for almost a year and would still like to solve it. Key data:

  • Univention UCS domain (Debian based)
  • The client and server are Ubuntu 20.04

What works:

  • Login to the Ubuntu desktop with password, all CIFS / Samba drives with Kerberos are automatically mounted (pam_mount.conf.xml)
  • Login via SSH and password. And there the CIFS / Samba drives are automatically mounted with Kerberos (pam_mount.conf.xml)
  • Login to all UCS servers via SSH from all Ubuntu clients with Kerberos without a password
  • Kerberos Auth without password using Apache and Keytab from an Ubuntu client to an Ubuntu server where Apache is running.

What is not doing yet:

  • Login from an Ubuntu client via SSH and Kerberos without a password to another UbuntuSSH server.

What have I done so far to resolve the issue?

  • Lots of adjustments on the Ubuntu SSH server, I’ve looked at many articles on the net where this worked, unfortunately always without success, I also built the SSHD Config in the same way as on functioning UCS servers, same result

Why can’t I use SSH keys? Quite simply because no password or key like Kerberos is transmitted and the network drives are not mounted.

Conclusion: Since it works on all UCS servers, it cannot be due to the client. It cannot be due to the UCS KRB master server either, since even the automatic login via Apache / User from the client to the Ubuntu server works perfectly with Keytab.

I think that I don’t quite understand something here, it can only be a small thing. Almost all articles say that you need a keytab. I have it, Apache uses it well. But there is nowhere where you can configure something that the SSH can handle the keytab and let the user authenticate with Kerberos. It would be the full Christmas miracle if only knew how it really works :slight_smile:

Thank you very much.