Support Kerberos for LDAP Authentication

Question

Support Kerberos for LDAP Authentication

Closed this issue 7 years ago · 3 comments

I started using this to manage SSH Keys that are stored in an Active Directory. When I log into a linux machine I then already have a valid Kerberos ticket from the AD. It would be great if ssh-ldap-pubkey could simply use the existing user ticket for the LDAP connection.

Answer 1 · 2017-07-21T18:19:22.000Z

I have only very limited experience with Kerberos and I wanna stay as far from it as I can. Also I don’t like increasing complexity of this tool and adding special dependencies for Kerberos or Active Directory.

However, if you (or someone else) figure out how to implement it with minimal changes as an optional feature and open a pull request, I’d probably merge it.

Answer 2 · 2017-07-21T19:38:47.000Z

increasing complexity of this tool and adding special dependencies for Kerberos or Active Directory.

completely understandable..! :-)

with minimal changes as an optional feature and open a pull request

I'll have a look into it..

Answer 3 · 2017-07-21T22:09:20.000Z

Okay, I looked into it and the Python part for using Kerberos is really super simple. Provided that you already have a working Kerberos setup on your machine all you have to do in Python is to run l.sasl_interactive_bind_s("", ldap.sasl.sasl({}, 'GSSAPI'))

Here is a complete transcript from my lab:


$: ssh kermit -l test1  # ssh login to an AD integrated host
test1@kermit's password: <redacted>
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-83-generic x86_64)
[...]

test1@kermit:~$ klist  # confirm that I have valid ticket
Ticket cache: FILE:/tmp/krb5cc_1709801107_jXxjPA
Default principal: test1@HOME.EXAMPLE.COM

Valid starting       Expires              Service principal
07/21/2017 23:57:53  07/22/2017 09:57:53  krbtgt/HOME.EXAMPLE.COM@HOME.EXAMPLE.COM
        renew until 07/22/2017 23:57:47
		
test1@kermit:~$ ipython
Python 2.7.6 (default, Oct 26 2016, 20:30:19)
In [1]: import ldap
In [2]: ldap_uri = "ldap://dc1.home.example.com"
In [3]: l = ldap.initialize(ldap_uri)
In [4]: l.sasl_interactive_bind_s("", ldap.sasl.sasl({}, 'GSSAPI'))
Out[4]: 0
In [5]: l.search_s("CN=Test1,OU=Users,OU=Accounts,OU=EXAMPLE,DC=home,DC=example,DC=com", ldap.SCOPE_BASE, attrlist=["userPrincipalName", "sshPublicKey"])
Out[5]:
[('CN=Test1,OU=Users,OU=Accounts,DC=home,DC=example,DC=com',
  {'sshPublicKey': ['ssh-rsa AAAAB3Nz[...]a9dehnv my-ssh-key',
    'ssh-rsa AAAAB3N[...]fsdf my-other-ssh-key'],
   'userPrincipalName': ['test1@home.example.com']})]

test1@kermit:~$ klist  # check tickets (there are now tickets for the LDAP service)
Ticket cache: FILE:/tmp/krb5cc_1709801107_jXxjPA
Default principal: test1@HOME.EXAMPLE.COM

Valid starting       Expires              Service principal
07/21/2017 23:57:53  07/22/2017 09:57:53  krbtgt/HOME.EXAMPLE.COM@HOME.EXAMPLE.COM
        renew until 07/22/2017 23:57:47
07/21/2017 23:58:28  07/22/2017 09:57:53  ldap/dc1.home.example.com@
        renew until 07/22/2017 23:57:47
07/21/2017 23:58:28  07/22/2017 09:57:53  ldap/dc1.home.example.com@HOME.EXAMPLE.COM
        renew until 07/22/2017 23:57:47

What do you think?