Kerberos Integration

Providing Single Sign On

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Introduction
    2. Creating the krb5.keytab
    3. OpenSSH


Before we can start using Single Sign On (SSO), we need to make sure that our kerberos enabled servers have machine accounts in the Kerberos database. If you added your hosts as described in Adding Principals, your are ready. If you did not now is the time to do so.

After you issued the cpw command every host you added should have the krbPrincipalAux and krbTicketPolicyAux objectclasses and at least have the krbPrincipalName and krbPrincipalKey values set. If that is in place you can export the krbPrincipalKey to the host so that it is able to authenticate itself to the KDC.

Creating the krb5.keytab

A keytab file is a file that holds principals and encrypted keys. This is used to logon to a KDC without being prompted for a password. As such the keytab file should be protected, and should normally only be readable by root. Anyone with read permission on a keytab can use all of the keys it contains. Be warned!

For single sign on to work process need to be able to access the KDC without a person entering a password. This means that the process needs a keytab file with its own key, its host key. Using kadmin this key can be exported from the Kerberos database to the host that needs the information.


GSSAPIAuthentication yes
GSSAPICleanupCredentials yes