Tuesday, May 19, 2009

Kerberized SSH on Mac OS X v10.5 Server

This week I have been teaching the Advanced Systems Administration class for Mac OS X 10.5, and we talked about security and secure access.  As usual, I mentioned the security necessity for SSH authentication when accessing the server through the Command Line remotely, and how to set up public and private keys for authentication.   But there is an inherent flaw with the public and private key:  if someone manages to gain access to your computer and copy your private key, they have a non-authenticated method of accessing your system.  Also, if someone leaves the company and shouldn't have access to the server anymore, you need to remove their public key manually instead of just removing access through your Directory. So you have the following problem:  You need a login method that will allow you to SSH into the boxes you need access to without a password, but have some type of Directory-based key system that is secure, temporary, and key-based.  Enter Kerberos.   Kerberized SSH is not at all anything new, and I found a lot of Linux instructions on how to get it set up with Kerberos.  But I was hard-pressed to find a Mac OS X v10.5 Server instruction, and as such decided to write my own.  Hopefully this will be o some use for someone out there.  Now, this assumes that you have Kerberos running, and the Mac OS X Server is either an Open Directory Master, Open Directory Replica, or Connected to a Directory System and kerberized.  The server itself will need to provide authentication through Kerberos for this to work.  You also need to make some minor changes to your .ssh directory in your Home Folder, and have your client bound to the directory. What we are going to do is install the Kerberos module for PAM authentication on the Mac OS X Server, configure the sshd PAM authentication rules for Kerberos, and then on the client side enable GSSAPI authentication.  It's as simple as that.  ^_^

  1. Download the pam_krb5 library from SourceForge.  This is the PAM authentication library necessary for Kerberos 5 to work in a PAM enabled service.  

  2. Extract and Compile:  I extracted the file in my Downloads directory and then compiled it right there.  Be sure you have Xcode installed, because you will need gcc.  I compiled it on a local machine and then copied the library to my server.   Once you run ./configure and get it to pass, just run make.  The library will be placed in the .lib directory (which is hidden).  You can then copy the pam_krb5.so file to the necessary spot or to a jump drive to drop on your server.  

  3. Place the pam_krb5.so module into the /usr/lib/pam/ directory on the server.  SSH gets its authentication information through PAM, so having the library here is crucial. 

  4. Edit the /etc/pam.d/sshd configuration file to look like the following: #sshd: auth account password session auth    required    pam_nologin.so auth    optional    pam_afpmount.so auth    sufficient    pam_securityserver.so auth    sufficient    pam_krb5.so auth    sufficient    pam_unix.so auth    required    pam_deny.so account    required    pam_securityserer.so password    required    pam_deny.so session    required    pam_launchd.so session    sufficient    pam_krb5.so session    optional    pam_afpmount.so

  5. On your Mac OS X computer, create (if you don't have one already) a config file in your ~/.ssh/ directory with the following command:  GSSAPIAuthentication yes

And that's it!  You can now log into any kerberized server using SSH, not need a password, or even build a public-private key structure.

No comments: