Date: Mon, 12 May 2003 From: Matt Crawford Subject: Kerberos remote login to & from a Mac How to get a Kerberized ssh client & server on OS X ... I did all of the following on a powerbook running 10.2.6. You the reader may have already done some parts of it. Download and install "MacOS X 10.2 Kerberos Extras" using the link on http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/osx-kerberos-extras.html Edit the new file /Library/Preferences/edu.mit.Kerberos as plain text to add the Fermilab information. I left most of the rest of the information intact and my resulting file is at http://home.fnal.gov/~crawdad/macstuff/edu.mit.Kerberos Download openssh-3.6.1p2.tar.gz from any one of dozens of mirror sites -- the nearest is ftp://ftp.src.uchicago.edu/pub/OpenBSD/OpenSSH/portable/openssh-3.6.1p2.tar.gz Save it in a suitable working directory. In the same directory, download "the Wilkinson patch" http://www.sxw.org.uk/computing/patches/openssh-3.6.1p2-gssapi-20030430.diff and "the Michaud patch" which I have saved in http://home.fnal.gov/~crawdad/macstuff/michaud-patch You may want to read the short page describing the addition of Kerberos support to OpenSSH at http://www.sxw.org.uk/computing/patches/openssh.html. There are three system include files you have to fiddle with -- one needs a small change to make MACOS *not* be a special case, one needs an error fixedand the last needs to be linked-to from another location another name. Edit /usr/include/zconf.h, lines 213-215 to change #if !defined(MACOS) && !defined(TARGET_OS_MAC) typedef unsigned char Byte; /* 8 bits */ #endif to //#if !defined(MACOS) && !defined(TARGET_OS_MAC) typedef unsigned char Byte; /* 8 bits */ //#endif Edit /usr/include/openssl/opensslv.h. First, in a Terminal, run "openssl version". Mine prints OpenSSL 0.9.6i Feb 19 2003 Now look at the explanatory comments at the top of opensslv.h and see what hexadecimal value of OPENSSL_VERSION_NUMBER would match this output. In my case it would be 0x0090609fL which has, between the "0x" prefix and the "L" suffix, the parts 0 (major version) 09 (minor version) 06 (fix) 09 (patch - 'i' is the 9th letter) f (f for released code. 0=development and 1 through e are betas) Edit the constant on line 28. Mine became: #define OPENSSL_VERSION_NUMBER 0x0090609fL You may as well fix the text string on the next line to match, although it does no harm either way. Just copy the output from "openssl version" verbatim: #define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6i 30 Feb 19 2003" Now the last file. Make a new directory /usr/include/security and in it make a symlink to /usr/include/pam/pam_appl.h. In a Terminal window, like this: sudo -s cd /usr/include mkdir security cd security ln -s ../pam/pam_appl.h . exit OK, the preliminaries are done. Time to make the software. Unpack the source code and apply the patches as follows (in a Terminal window in the directory where you saved the above three files): tar zxf openssh-3.6.1p2.tar.gz patch -p0 < openssh-3.6.1p2-gssapi-20030430.diff cd openssh-3.6.1p2 patch -p1 < ../michaud-patch Still in the openssh-3.6.1p2, now configure and build. I didn't save my configure command arguments, but I think they were as shown below: autoreconf ./configure --prefix=/usr --with-kerberos5=/usr --with-privsep-user=nobody make sudo make install The ssh client is ready for use at this point. If you want to use the server, there are two more steps ... But before you start the server, you've got to configure it to comply with the Kerberos-only policy! Three changes to /private/etc/sshd_config should be sufficient. The old configuration is marked "<" and the new, ">" 14c14 < #Protocol 2,1 --- > Protocol 2 56c56 < #PasswordAuthentication yes --- > PasswordAuthentication no 63c63 < #KerberosAuthentication no --- > KerberosAuthentication yes Now you need a "keytab file". Normally you apply to compdiv for a "host principal" through the form at http://computing.fnal.gov/forms/strongauth.html and you get back a one-time password which you supply to a ups or rpm script, or to the Kerberos kadmin command, to create /etc/krb5.keytab. But the MacOS Kerberos does not include a kadmin command, which is needed by all three of these methods, so you have to * create the file on another computer and copy it over to your Mac*. This is not something to be done carelessly! And it's easy to make a mistake which would require you to ask the helpdesk to reset the password. Make sure you are registered as the sysadmin of your Mac. (http://miscomp.fnal.gov/sysadmindb/) Use the form mentioned above and supply the hostname of your Mac to request "Host and FTP principals." (Actually, you have no use for an FTP principal, but there's nowhere on the form to ask for just the Host principal.) The hostname is the one you specified as the "Computer Name" on the Sharing panel, plus the domain ".fnal.gov" or ".dhcp.fnal.gov". When you get back the one-time password, get onto a Unix (or Linux) system (let's call it unixhost) and go to a directory which is *not shared over the network*. /tmp is fine. Supposing that your hostname is my-mac.dhcp.fnal.gov, do this: cd /tmp /usr/krb5/sbin/kadmin -p host/my-mac.dhcp.fnal.gov \ -q "ktadd -k my-mac.keytab host/my-mac.dhcp.fnal.gov" /usr/krb5/sbin/kadmin -p ftp/my-mac.dhcp.fnal.gov \ -q "ktadd -k my-mac.keytab ftp/my-mac.dhcp.fnal.gov" The second command is the same as the first, with two instances of "host" changed to "ftp". Now, on your Mac, use your newly-installed Kerberized ssh ... kinit yourname (yourname = your Kerberos principal) sudo -s cd /private/etc scp yourname@unixhost:/tmp/my-mac.keytab krb5.keytab ls -l krb5.keytab make sure the permissions are -rw-------, owner root. Now back on the unixhost, *erase*, then *delete* the keytab file. ls -l / > my-mac.keytab rm my-mac.keytab All set! You start and stop the ssh server through the "Remote Login" item of the Sharing System Preferences panel. Thanks to Tom Jordan for a few tips I needed. Matt Crawford