Verify Kerberos Password-less SSH Setup

Guide to verifying Kerberos-based password-less SSH connections in an Active Directory environment using Vagrant boxes.
Categories:
Tags:

Introduction

This guide outlines steps to verify the setup of Kerberos-based password-less SSH connections in an Active Directory (AD) environment. It uses Vagrant boxes such as pxd-ad (AD domain controller), pxd-win1 and pxd-win2 (Windows hosts), and pxd-ubuntu-devtop (Ubuntu desktop) to test ticket retrieval and SSH authentication.

The process involves checking Service Principal Names (SPNs), domain joins, Kerberos ticket retrieval, and direct SSH tests. This setup is crucial for enabling password-less automation, such as with Ansible, by transitioning from WinRM to SSH with GSSAPI.

Prerequisites:

  • Access to the specified Vagrant boxes.
  • Kerberos and OpenSSH installed and configured on all nodes.
  • Logged in as a domain user (e.g., tony@C2.ORG).
  • GSSAPIAuthentication enabled in SSH configs.

Verify SPNs and Domain Join on Windows Hosts

  1. Log in to a Windows host pxd-win1 as domain user tony using Remmina.

  2. Open Command Prompt and check for cached tickets:

    klist
    Show me
    C:\Users\tony>klist

Current LogonId is 0:0x2c428

Cached Tickets: (0)

C:\Users\tony>klist get HOST/pxd-win2

Current LogonId is 0:0x2c428
A ticket to HOST/pxd-win2 has been retrieved successfully.

Cached Tickets: (2)

#0>     Client: tony @ C2.ORG
        Server: krbtgt/C2.ORG @ C2.ORG
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 11/4/2025 14:55:25 (local)
        End Time:   11/5/2025 0:55:25 (local)
        Renew Time: 11/11/2025 14:55:25 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: PXD-AD.c2.org

#1>     Client: tony @ C2.ORG
        Server: HOST/pxd-win2 @ C2.ORG
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 11/4/2025 14:55:25 (local)
        End Time:   11/5/2025 0:55:25 (local)
        Renew Time: 11/11/2025 14:55:25 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: PXD-AD.c2.org

C:\Users\tony>hostname
PXD-WIN2
    • If empty (Cached Tickets: (0)), proceed to retrieve tickets.

  3. Retrieve the service ticket for the local host’s SPN. For example, on pxd-win2:

    klist get HOST/pxd-win2
    • Expected output includes a Ticket Granting Ticket (TGT) for krbtgt/C2.ORG and a service ticket for HOST/pxd-win2.
    • This confirms the KDC can issue tickets based on your authentication.

  4. If you encounter errors (e.g., “Cannot contact any KDC for requested realm”), verify the domain join:

    nltest /dsgetdc:
    • If failed, rejoin the domain or check AD connectivity.

  5. Test retrieving a ticket for another host (e.g., from pxd-win2 to pxd-win1):

    klist get HOST/pxd-win1
    • Success indicates proper domain trust. Output shows additional cached tickets.

These steps ensure Kerberos tickets can be obtained, which is essential for password-less SSH authentication via GSSAPI. Kerberos uses these tickets to authenticate to the target host’s SPN (e.g., HOST/pxd-win1) without prompting for a password.

Test SSH from Ubuntu to Windows

  1. Log in to pxd-ubuntu-devtop as the domain user (e.g., switch with sudo su tony).

  2. Initialize a Kerberos ticket:

    kinit
    • Enter the password for tony@C2.ORG.

  3. Verify the ticket:

    klist
    • Look for a valid TGT (e.g., krbtgt/C2.ORG@C2.ORG).

  4. Ensure /etc/krb5.conf is configured for the C2.ORG domain and GSSAPIAuthentication is enabled in /etc/ssh/ssh_config.

  5. Test SSH to a Windows host (e.g., pxd-win1):

    ssh -o GSSAPIAuthentication=yes tony@pxd-win1
    • Or simply ssh pxd-win1 if GSSAPI is default.
    • Success: Logs in without a password prompt.

On the target Windows host, verify the session ticket with klist.

Test SSH from Windows to Windows

  1. Log in to the source Windows host (e.g., pxd-win2) as the domain user and ensure a valid TGT exists (klist).

  2. Confirm OpenSSH client is installed and GSSAPIAuthentication is enabled in %SystemRoot%\System32\OpenSSH\ssh_config.

  3. Test SSH to the target (e.g., pxd-win1):

    ssh -o GSSAPIAuthentication=yes tony@pxd-win1
    • Or ssh pxd-win1 if configured by default.
    • Success: Connects without a password.

If it prompts for a password, debug with verbose mode:

ssh -vvv -o GSSAPIAuthentication=yes tony@pxd-win1
  • Check for “GSSAPI authentication failed” and verify configs/tickets.

Troubleshooting

  • No tickets retrieved: Ensure domain join and AD connectivity.
  • SSH password prompt: Confirm GSSAPIAuthentication in client/server configs and OpenSSH GSSAPI support.
  • Domain trust issues: Use nltest to validate; rejoin if needed.
  • For Ansible integration: Add ansible_ssh_common_args: '-o GSSAPIAuthentication=yes' to your inventory for password-less playbooks.

Once verified, this setup enables secure, password-less automation across environments.

Additional Information

  • For related setup guides, see Active Directory configuration in the C2 Platform documentation.
  • Ensure all nodes are properly joined to the AD domain for seamless Kerberos authentication.
Last modified January 31, 2026: vagrant install sudo wget → wget OK-2409 PHX-361 PHX-362 (b7af097)