Score:0

Kerberos credentials not renewed on ipa ubuntu client

kz flag

When I use ssh to login to my freeipa client, I get Kerberos credentials (klist). However, after they expire, I no longer get the credentials (klist empty). This results with no home directory as the user does not have permissions for the nfs. I can use kinit to obtain new credentials. Restarting sssd and logging in again with ssh, also obtains a new ticket. Using sudo obtains tickets as well.

I do not even know which process is responsible for requesting the ticket, so I have no idea where to start debugging the issue. I have Ubuntu 20.04 and used the freeipa-client package to install the client.

Any help would be appreciated.

YuvGM avatar
kz flag
Turns out the problem is that I used public key to authenticate with ssh. Tickets are only created when I use password authentication. Now the question is why? Is it by design or do I need to configure something.
Score:1
ng flag

If you are using ssh public key to authenticate, you are only authenticating to your ssh daemon, not to the system. SSH daemon would claim that it performed authentication and then log you in into the shell. While this process might be utilizing PAM stack to set up your login session, it, however, does not handle authentication through the PAM stack.

I may state obvious to you, but Kerberos ticket can only be obtained if you use software that requests it. On a typical system such a ticket would be requested through PAM auth stage if either pam_sss or pam_krb5 is defined in auth stack of the PAM configuration used by your application. When such application (e.g. sshd) is skipping auth stage, none of PAM modules responsible for authentication are called and no Kerberos ticket can be obtained this way.

When Kerberos client attempts to request an initial ticket granting ticket (TGT), it and Kerberos KDC exchange a list of so-called "pre-authentication methods". In practice, these are the methods used to authenticate your client against KDC. One method chosen by a client, if accepted by the KDC, implements actual authentication process. There are no Kerberos pre-authentication methods that use a SSH key-pair for authentication, so you cannot use SSH key-pair to obtain a TGT. All standard password-based pre-authentication methods are built around both Kerberos client and Kerberos KDC knowning the long-term key (password) of the user principal, even though they do not pass it over the network. There is currently one method that does not rely on a password and it is so-called PKINIT method which relies on completing authentication using public key certificate infrastructure.

What can you do? You might want to turn it all around and use a smartcard for authentication instead. Smartcard authentication is supported by Kerberos as a 'pkinit' pre-authentication method. In addition to that, SSH daemon is capable to treat a certificate from your smartcard for authentication similar to the SSH key-pair case.

If you'd use PKINIT authentication, you have two ways: either obtain a Kerberos TGT with PKINIT on your workstation and login to SSH daemon on other machine using Kerberos ticket you have locally, or use your smartcard certficiate to login to SSH daemon as a SSH key and then use smartcard forwarding to request a Kerberos ticket on the host directly. In the former case your original TGT would not be forwarded to the SSH host automatically, unless you have asked for a ticket delegation. In the latter case you'd still need to request a TGT.

Regardless which method to use, you can definitely benefit from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/index

If you don't want or cannot use smartcards, then the only method left is to use Kerberos login directly and forget about SSH key-pair authentication.

YuvGM avatar
kz flag
Thanks for the comprehensive answer. It confirmed my suspicions once I realised tickets are only handed once I entered my password.I admit I wandered down the freeipa path, without required knowledge, hoping I could wing it. Ultimately, when faced with a problem, there are so many entities and services involved, it's difficult to track down the issues to their sources.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.