Hello list,

This is also something I looked at a while ago, and I effectively came to the same conclusion as Sumit, but with a but more nuance. Note that I never quite managed to implement a fix, but I'll share my thoughts here anyway. SSH key authentication is done by sshd, and kerberos has no idea what an ssh key means. I thought of/found the following alternatives. - If your home folder is on NFS, the home folder of the authenticating user is not available for authentication. This means the user's authorized_keys must live somewhere else, for example in freeipa. - You can authenticate to kerberos using a certificate (see smartcard authentication), and it is possible to use the same certificate to authenticate to sshd, although that does require help from a freeipa wrapper (/usr/bin/sss_ssh_authorizedkeys). However, you need a modified version of ssh(d) (*not sure if it's only the sshd daemon or also the client) to be able to use the provided cert to get sshd to get you a kerberos ticket. This already exists, but I can't find it at the moment. Either way, sounds like a terrible idea to me. - Have your ssh client authenticate to the kdc and get a ticket, and use that ticket to authenticate to sshd. This means that you have to expose your kdc to all your clients (i.e. the internet). Sounds like a terrible idea to me. - Generate a kerberos service for sshd, and trust it for delegation (meaning, it's allowed to hand out tgts for other users, as I understand it), get a keytab, and then wrestle with PAM to generate tgts once sshd is happy with the provided ssh key. This sounds like a reasonable idea to me, but puts a lot of trust in sshd (even more than usual). Plus, you'd best make sure you never lose that keytab. - Add pam_krb5 to the sshd authentication flow, so it asks for a password after ssh-key authentication to get a kerberos ticket. Probably safest, but breaks automatic authentication.

I hope this helps, and please let me know if you figure out something smarter ;) Peter

________________________________________ From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Thursday, 13 February 2025 16:12 To: FreeIPA users list Cc: Ronald Wimmer; Sumit Bose Subject: [Freeipa-users] Re: IPA pubkey auth and NFS KRB5

Am Thu, Feb 13, 2025 at 02:24:58PM +0100 schrieb Ronald Wimmer via FreeIPA-users:

I am aware of two cases here. The first one is that I do already have a TGT that I can delegate to the target host and some magic fetches the right NFS ticket for me. The second one is that I connect to the target host and enter a password and SSSD fetches a TGT and NFS ticket for me.

Both cases allow me to access a kerberized NFS share. But what is when I use SSH pubkey auth (pubkey in IPA) to connect to the target host? Should I also get a TGT and NFS ticket to access a kerberized NFS share?

Hi,

no, pubkey authentication happens completely inside of sshd and no one else has access to anything involved and hence cannot act upon it.

HTH

bye, Sumit

Cheers, Ronald -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

On 14.02.25 18:42, Jochen Kellner via FreeIPA-users wrote:

"Kroon PC, Peter via FreeIPA-users" freeipa-users@lists.fedorahosted.org writes:

...

I hope this helps, and please let me know if you figure out something smarter ;) Peter

I do call ssh with "-K", so it authenticates with Kerberos instead of password/ssh-keys:

  -K      Enables GSSAPI-based authentication and forwarding
   (delegation) of GSSAPI credentials to the server.

As we do not have a ticket on the source server (no one has called kinit there) we cannot delegate one...

On 09.04.25 09:41, Ronald Wimmer via FreeIPA-users wrote:

On 14.02.25 10:35, Kroon PC, Peter wrote:

...

• You can authenticate to kerberos using a certificate

If this is true I could use pubkey auth for SSH and an user cert for Kerberos, right? This idea does not sound too bad...

So how to obtain a cert is here: https://www.freeipa.org/page/V4/User_Certificates#using-freeipa-dogtag-pki-t...

But how would I use such a cert for Kerberos auth?

You got me digging into this again :) I found the alternative ssh implementation: pkixssh https://gitlab.com/secsh/pkixssh Not sure I'd be brave enough though.

Peter

________________________________________ From: Kroon PC, Peter via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Wednesday, 9 April 2025 10:43 To: freeipa-users@lists.fedorahosted.org Cc: Ronald Wimmer; Kroon PC, Peter Subject: [Freeipa-users] Re: IPA pubkey auth and NFS KRB5

Hi Ron,

On paper, and technically, I do think this would be the best solution. Like I wrote originally however, you need a modified ssh(d) to forward access to the certificate/smartcard to allow pkinit to get your kerberos ticket (as far as I understand it). See also this kerberos mail thread: https://comp.protocols.kerberos.narkive.com/tktb96dW/using-a-ssh-key-for-krb... This also seems intelligent: https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-December/037433.ht... I don't have time to go through the full thread right now, but it seems to hold important puzzel pieces.

As for using a certificate for kerberos auth, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/man..., and your further google term will be pkinit.

Peter ________________________________________

From: Ronald Wimmer via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Wednesday, 9 April 2025 09:53

To: freeipa-users@lists.fedorahosted.org Cc: Ronald Wimmer Subject: [Freeipa-users] Re: IPA pubkey auth and NFS KRB5

On 09.04.25 09:41, Ronald Wimmer via FreeIPA-users wrote:

On 14.02.25 10:35, Kroon PC, Peter wrote:

...

• You can authenticate to kerberos using a certificate

If this is true I could use pubkey auth for SSH and an user cert for Kerberos, right? This idea does not sound too bad...

So how to obtain a cert is here: https://www.freeipa.org/page/V4/User_Certificates#using-freeipa-dogtag-pki-t...

But how would I use such a cert for Kerberos auth? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue