1.2.7. Configuring Client SSH Access
You can configure the IPA client to accept incoming SSH requests and authenticate with the user's Kerberos credentials. After installing and configuring the IPA client, use the following procedure to configure the IPA client for SSH connections. Remember to replace the example host and domain names with your own host and domain name.
The Red Hat Enterprise IPA client installation process configures the NTP service by default, but you should ensure that time on the IPA client and server is synchronized. If it is not, run the following commands on the IPA client:
# service ntpd stop # ntpdate -s -p 8 -u ipaserver.example.com # service ntpd start
The ntpdate command does not work if ntpd is running.
Obtain a Kerberos ticket for the admin user.
# kinit admin
The ipa-admintools package is not available for Red Hat Enterprise Linux 4. Consequently, you need to perform the following commands on the IPA server.
Add a host service principal.
# ipa-addservice host/ipaclient.example.com
Retrieve the host keytab.
# ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com -k /tmp/krb5.keytab
Copy the keytab from the server to the client.
# scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab
On the IPA client, use the ktutil command to import the keytab.
# ktutil ktutil: read_kt /tmp/krb5.keytab ktutil: write_kt /etc/krb5/krb5.keytab ktutil: q
The IPA client should now be fully configured to accept incoming SSH connections and authenticate with the user's Kerberos credentials. Use the following command on another machine to test the configuration. This should succeed without asking for a password.
# ssh admin@ipaclient.example.com