Jira (BOLT-168) Kerberos support for ssh

[John Duarte (JIRA)]

Title: Message Title

John Duarte commented on BOLT-168   Re: Kerberos support for ssh Using bolt at SHA 3115817, this passes manual validation. Reproduction steps Test platform was Centos 7 x86_64 Setup kerberos Install packages yum install -y krb5-server krb5-libs krb5-workstation Create configuration file cat > /etc/krb5.conf << EOF includedir /etc/krb5.conf.d/   [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log   [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = BOLT168TESTREALM default_ccache_name = KEYRING:persistent:%{uid}       [realms] BOLT168TESTREALM = { kdc = $(hostname -f):88 admin_server = $(hostname -f):749 default_domain = delivery.puppetlabs.net }   [domain_realm] .delivery.puppetlabs.net = BOLT168TESTREALM delivery.puppetlabs.net = BOLT168TESTREALM EOF Create database kdb5_util create -s Create ACL file cat > /var/kerberos/krb5kdc/kadm5.acl << EOF */admin@BOLT168TESTREALM * EOF Add principals kadmin.local -q "addprinc admin/admin" kadmin.local -q "addprinc root" kadmin.local -q "addprinc -randkey host/$(hostname -f)" kadmin.local -q "ktadd -k /etc/krb5.keytab host/$(hostname -f)" Start services systemctl start krb5kdc systemctl start kadmin Update ssh configs /etc/ssh/sshd_config - ensure the following line GSSAPIAuthentication yes sed -i -e 's/GSSAPIAuthentication no/GSSAPIAuthentication yes/' /etc/ssh/sshd_config /etc/ssh/ssh_config - ensure the following lines GSSAPIAuthentication yes GSSAPIDelegateCredentials yes echo 'GSSAPIDelegateCredentials yes' >> /etc/ssh/ssh_config Restart the daemon systemctl restart sshd Validate that SSH over kerberos works kinit ssh -v $(hostname -f) Setup bolt git clone https://github.com/puppetlabs/bolt.git cd bolt git submodule update --init --recursive gem install bundler bundle add json Add net-ssh-krb gem and setup PreferredAuthentications as described in the release notes for this ticket. bundle add net-ssh-krb echo 'PreferredAuthentications gssapi-with-mic' >> ~/.ssh/config Validate that SSH using kerberos works using bolt kinit bundle exec bolt command run 'hostname -f' -n k9glrt2me76fqa0.delivery.puppetlabs.net Output from test session [root@k9glrt2me76fqa0 bolt]# kinit Password for root@BOLT168TESTREALM: [root@k9glrt2me76fqa0 bolt]# bundle exec bolt command run 'hostname -f' -n k9glrt2me76fqa0.delivery.puppetlabs.net k9glrt2me76fqa0.delivery.puppetlabs.net:   k9glrt2me76fqa0.delivery.puppetlabs.net     Ran on 1 node in 0.12 seconds Add Comment   This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.