This section is obsolete.
Configure SSH Client
Insert these lines in /etc/ssh/ssh_config so that outbound ssh connections will always try to use Kerberos if available:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
Configure SSH Server
You will need to create a "host principal" for the new server; if you are setting up server.hcoop.net, then it must have the name
host/server.hcoop.net@HCOOP.NET
Add this principal to the KDC like this (execute these commands on the new server, as root, while holding admin tickets):
REALM=HCOOP.NET ADMIN=myself_admin # your admin username SERVER=server.hcoop.net rm -f /etc/krb5.keytab # important -- if it already exists the new key will merely be appended kadmin -p $ADMIN@$REALM -r $REALM -q "add_principal -randkey host/$SERVER@$REALM" # unless it already exists (reinstall of VM for example) kadmin -p $ADMIN@$REALM -r $REALM -q "ktadd -k /etc/krb5.keytab host/$SERVER@$REALM" chown root:root /etc/krb5.keytab chmod go-rwx /etc/krb5.keytab
Then add these lines to the bottom of /etc/ssh/sshd_config:
GssapiKeyExchange yes GssapiAuthentication yes GSSAPICleanupCredentials yes
Finally, restart the ssh server:
/etc/init.d/ssh restart