HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP–UX 11i v2, and HP-UX 11i v3 HP Part Number: 5900-3142 Published: June 2013 Edition: 1
© Copyright 2008, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents About This Document ....................................................................................8 Intended Audience....................................................................................................................8 New and Changed Information in This Edition..............................................................................8 Publishing History.....................................................................................................................
Configuring Host-Based Authentication for Non-Superusers......................................................40 Using Systemwide Configuration.....................................................................................40 Using User-Specific Configuration....................................................................................41 Configuring Host-Based Authentication for Superusers.............................................................42 Configuring User-Specific Authentication.....
ChallRespAuthAllowUsers...................................................................................................65 ChallRespAuthDenyUsers ...................................................................................................66 ChrootDirectory.................................................................................................................66 Ciphers............................................................................................................................
PubkeyAuthentication..........................................................................................................78 RhostsRSAAuthentication.....................................................................................................78 RSAAuthentication..............................................................................................................78 ServerKeyBits.................................................................................................................
KbdInteractiveAuthentication................................................................................................91 KbdInteractiveDevices.........................................................................................................92 KexAlgorithms...................................................................................................................92 LocalCommand.................................................................................................................
About This Document This document describes the HP-UX Secure Shell software. It includes information about installing, verifying, configuring, and troubleshooting HP-UX Secure Shell on HP-UX platforms. The latest version of this document is available at: http://www.hp.com/go/hpux-security-docs The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date.
Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Publication Date 5900-3142 • HP-UX 11i v1 June, 2013 • HP-UX 11i v2 • HP-UX 11i v3 5900–2248 • HP-UX 11i v1 March 2012 • HP-UX 11i v2 • HP-UX 11i v3 5900–1228 • HP-UX 11i v1 September 2010 • HP-UX 11i v2 • HP-UX 11i v3 5992-4213 • HP-UX 11i v1 May 2008 • HP-UX 11i v2 • HP-UX 11i v3 T1471-90028 • HP-UX 11i v1 September 2006 • HP-UX 11i v2 • HP-UX 11i v3 T1471-90024 • HP-UX 11.
Chapter 2: Installing HP-UX Secure Shell Describes how to install HP-UX Secure Shell and the required patches. It also lists the hardware and software requirements for installing HP-UX Secure Shell. Chapter 3: HP-UX Secure Shell Authentication Methods Describes the different authentication methods used by HP-UX Secure Shell. Chapter 4: Configuring HP-UX Secure Describes how to configure HP-UX Secure Shell to use Shell Authentication Methods different authentication methods, and to optimize performance.
Related Documents Following are the additional documentation available for HP-UX Secure Shell: • HP-UX Secure Shell Release Notes on the Internet and Security Solutions page at: http:// www.hp.com/go/hpux-security-docs • The README file at /opt/ssh/README.hp. You must install HP-UX Secure Shell to access this file. • HP-UX Secure Shell Manpages • For more information on cryptography, see: http://www.ssh.
1 Introduction This chapter provides an overview of HP-UX Secure Shell. HP-UX Secure Shell is a program that enables users to securely access various network services.
Strong Encryption All communication between the client and the server is encrypted using patent-free encryption algorithms such as Blowfish, Data Encryption Standard (DES), 3DES, Advanced Encryption Standard (AES), and arcfour. Authentication information (for example, passwords) is never sent in clear text over the network. Encryption in conjunction with strong public-key cryptography also provides protection against a number of potential security attacks.
Key A relatively small amount of data used as a parameter for cryptographic algorithms, such as encryption or message authentication. User Key An asymmetric key used by the client to provide a user identity. Host Key An asymmetric key used by the server to provide a server identity. Session Key A symmetric key that encrypts the communication between the client and server. Key Generator A program that creates persistent keys, such as user keys and host keys.
3. 4. The child sshd process inherits the connection socket and authenticates the client application based on the selected authentication method. A successful secure client session is established only upon successful authentication. When a session is created, all subsequent communication occurs directly between the client application and the child sshd process. The client application can now execute remote commands on the server.
Table 4 HP-UX Secure Shell Commands (continued) Command Description Runs On Equivalent Non-Secure Components sshd Secure Shell daemon Server remshd, telnetd scp Secure file copy for client and server Client and Server rcp sftp Secure FTP program Client ftp sftp-server The sftp server subsystem automatically initiated by the sshd daemon.
Table 5 Client Keys and Configuration Files Name Description Location ssh_config Specifies the client configuration file. The client uses this file to determine the required run-time parameters. For more information on the configuration directives in the ssh_config file, see Appendix A (page 63). /opt/ssh/etc/ssh_config known_hosts Lists public keys for all sshd $HOME/.ssh/known_hosts daemons on the client subnet.
Table 5 Client Keys and Configuration Files (continued) Name Description Location Client user key files The public and private keys for • RSA-1 keys: client users. The client uses these keys for public-key authentication ◦ $HOME/.ssh/identity only. You can generate a key pair with RSA-1, RSA, DSA, and ◦ $HOME/.ssh/identity.pub ECDSA algorithms. The client user • RSA keys: can choose the key type. ◦ $HOME/.ssh/id_rsa ◦ $HOME/.ssh/id_rsa.pub • DSA keys ◦ $HOME/.ssh/id_dsa ◦ $HOME/.ssh/id_dsa.
Table 6 Server Keys and Configuration Files Name Description Location sshd_config Configuration file for the sshd /opt/ssh/etc/sshd_config daemon. The sshd daemon uses this file to determine the required run-time parameters. For more information on the sshd_config file directives, see Appendix A (page 63). known_hosts and related files List of public keys for all ssh client • /opt/ssh/etc/ssh_known_hosts hosts that connect to the sshd • /etc/rhosts.equiv daemon using host-based authentication.
2 Installing HP-UX Secure Shell This chapter describes how to install HP-UX Secure Shell. This chapter also lists the prerequisites for installing HP-UX Secure Shell. The chapter addresses the following topics: • “Prerequisites” (page 20) • “Installation and Verification” (page 21) Prerequisites This section lists the prerequisites for installing HP-UX Secure Shell. System Requirements Table 8 lists the minimum system requirements for installing HP-UX Secure Shell.
1. 2. 3. 4. 5. 6. Go to the HPSC website at: http://www.hp.com/go/hpsc Select the appropriate site, for example, Americas/Asia-Pacific or European. Select maintenance and support for hp products in the left navigation bar. The maintenance and support for hp products page is displayed. Select standard patch bundles - find patch bundles in the patching section. The find bundles page is displayed. Select HP-UX patch bundles in the Bundles for HP-UX section.
2. Use the Search button to browse for the product number T1471AA. The product catalog page is displayed. 3. Select HP-UX Secure Shell in the product catalog. The HP-UX Secure Shell page is displayed. 4. Select the Receive for Free>> option at the bottom right of the page. 5. Select the appropriate release of HP-UX operating system. 6. Enter the registration information. Read and accept the terms and conditions statements. 7. Click Next>>. The Electronic Delivery Receipt page is displayed. 8.
Verifying HP-UX Secure Shell Installation To verify that the installation was successful, take the following actions: • To verify whether the HP-UX Secure Shell software is successfully installed on your system, run the following command at the HP-UX prompt: # swlist | grep T1471AA (HP-UX 11i v1 and HP-UX 11i v2) # swlist | grep SecureShell (HP-UX 11i v3) The following output is displayed if the HP-UX Secure Shell software is installed successfully on your system: T1471AA A.06.20.001 SecureShell A.06.20.
3 HP-UX Secure Shell Authentication Methods This chapter describes the authentication methods supported by HP-UX Secure Shell.
Table 9 Advantages and Disadvantages of HP-UX Secure Shell Authentication Methods (continued) Authentication Method Advantages Disadvantages becomes vulnerable if server security is compromised. Public-key Secure authentication method that does not Large management overhead, such as require a password for authentication. creating key pairs and sharing public-key information with clients.
• Numerical group ID • Reserved gecos ID • Initial working directory • Program to user as shell Following is a sample entry in the /etc/passwd file: user1:3Km/o4Cyq84Xc:10:15:System Administrator:/home/user1:/sbin/sh HP-UX Secure Shell verifies the password that you enter against the password in the /etc/passwd file and allows access only if the passwords match.
Instead, the server directly reads the user ID and password from the /etc/passwd file. For more information on the UsePAM directive, see Appendix A (page 63). Public-Key Authentication HP-UX Secure Shell uses public-key authentication for strong and secure authentication. Public-key authentication enables users to connect to a remote server without sending their password over the network.
key pair and store all the key pairs in the $HOME/.ssh directory. If you have DSA, ECDSA, and RSA keys, you can use the HostKeyAlgorithms client configuration directive to set an order of preference. The HP-UX Secure Shell client selects the keys in the order you set for public-key authentication. NOTE: The client cannot pick the correct key pair if there are multiple key pairs of the same type in the $HOME/.ssh directory, for instance, three RSA key pairs.
Figure 2 Using Kerberos with HP-UX Secure Shell Establish a Secure Tunnel Secure Shell Client Authenticate the Server Encrypted Session Secure Shell Server Present ST Mutual Authentication Request TGT Kerberos Client Return TGT Request ST Using TGT KDC Domain Controller Return ST The following events occur when HP-UX Secure Shell uses Kerberos for authentication: 1. A secure tunnel is established between the HP-UX Secure Shell client and HP-UX Secure Shell server. 2.
its credentials. The HP-UX Secure Shell server matches these credentials against its copy of credentials for a specific user. The user is also identified with a password. The server can also optionally establish the legitimacy of the client host environment. Keyboard-Interactive Authentication Keyboard-Interactive Authentication, also known as challenge-response authentication, is a generic authentication method that can be used to implement authentication methods.
When an HP-UX Secure Shell user attempts host-based authentication with an HP-UX Secure Shell server, the following events occur: 1. 2. 3. 4. The server checks whether the user and host combination is allowed for host-based authentication in the /etc/shosts.equiv or $HOME/.shosts file. If the user and host combination is allowed, the HP-UX Secure Shell server creates a challenge string, encrypts it with the public key of the client, and sends it to the client.
4 Configuring HP-UX Secure Shell Authentication Methods This chapter describes how to configure HP-UX Secure Shell authentication methods.
1. To ensure that HP-UX Secure Shell is installed on the server and client, run the following command on the server and client: $ swlist | grep T1471AA (HP-UX 11i v1 and HP-UX 11i v2) $ swlist | grep SecureShell (HP-UX 11i v3) The following output is displayed if HP-UX Secure Shell is installed: T1471AA A.06.20.001 SecureShell A.06.20.
NOTE: The PAM library for the PA-RISC architecture has a suffix of .1. For the Itanium architecture, the PAM library has a suffix of .so.1. For example, the PAM_NTLM library for PA-RISC is libpam_ntlm.1 and for Itanium is libpam_ntlm.so.1. 3. In the /opt/ssh/etc/sshd_config file on the server and the client, set the following directive: PasswordAuthentication yes 4. Run the following command on the client system: $ ssh Clay Depending on the authentication method that you configure in the /etc/pam.
Table 12 Permissions for the Client Files and Directories (continued) 4. File/Directory Permissions $HOME/.ssh/id_rsa.pub and id_dsa.pub -rw-r--r-- or -rw------ $HOME/.ssh/config -rwx------ Copy the public key in the client system to the home directory of the server using the following command: # cat $HOME/.ssh/id_dsa.pub | ssh remoteuser@remotehost ’cat - >> $HOME/.ssh/authorized_keys’ The following output is displayed: The authenticity of host ’remoteuser.remotehost (15.70.189.
1. 2. 3. 4. Ensure that the Kerberos server is installed and configured correctly. For more information about installing and configuring the Kerberos server, see the Kerberos Server Version 3.1 Administrator’s Guide available at: http://www.hp.com/go/hpux-security-docs Ensure that your name can be authenticated by the Kerberos server. Ensure that the Kerberos client is installed and configured on the HP-UX Secure Shell client system.
4. Identify a system where you must install the Kerberos server, and install the Kerberos server software in that system. If you are installing the Kerberos server on an HP-UX system, see the latest version of the Kerberos server software is available at: http://www.software.hp.com Follow these steps to configure the Kerberos server: a. Configure the Kerberos server. You can configure the Kerberos server either manually or by using the /opt/krb5/sbin/krbsetup tool.
1. 2. On the Kerberos server, ensure that the following Kerberos daemons are running: • /opt/krb5/sbin/kadmind • /opt/krb5/sbin/kdcd The Kerberos administrator must create user (client) information (user ID and key) for users using the Kerberos service. The user information is stored on the KDC server and the Kerberos administrator must communicate the user information to individual users. Users must know their user ID and password.
---------------------------------------------------------1 host/pluto.mydomain.com@MYDOMAIN.COM 7. 8. The HP-UX Secure Shell client and server must contain the Kerberos configuration file (/etc/ krb5.conf) that points to the KDC service. The /etc/krb5.conf file is a network configuration file and does not contain any security-specific information. For a sample /etc/ krb5.conf configuration file, see Appendix B (page 100).
11. To verify the connection, run the following /usr/bin/klist command in the HP-UX Secure Shell client system: # klist The following output is displayed: Ticket cache: /tmp/krb5cc_01 Default principal: root@KRB_MC.REALM Valid starting Expires Service principal 01/31/06 17:54:40 02/01/06 03:54:40 krbtgt/KRB_MC.REALM 1/31/06 18:20:40 02/01/06 03:54:40 host/sshd_mc.appserverdomain.com@KRB_MC.REALM This output is different from the previous /usr/bin/klist output.
NOTE: HP-UX Secure Shell uses the /etc/hosts.equiv file if the directives RhostsRSAAuthentication and HostbasedAuthentication are configured in the HP-UX Secure Shell configuration files. This file is used for host-based authentication with remotely executed commands (r-commands). The /opt/ssh/etc/shosts.equiv file is preferred over the /etc/hosts.equiv file, because the /opt/ssh/etc/shosts.equiv file is used by HP-UX Secure Shell only. 5.
Table 14 Host Configuration Files User-Specific Files Systemwide Files $HOME/.shosts /opt/ssh/etc/shosts.equiv $HOME/.rhosts /etc/hosts.equiv $HOME/.ssh/knownhosts /opt/ssh/etc/ssh_known_hosts Configuring Host-Based Authentication for Superusers To configure host-based authentication for superusers, follow the steps described in “Using Systemwide Configuration” (page 40). For the superuser, HP-UX Secure Shell uses the information specified in the $HOME/.shosts and $HOME/.rhosts files.
Example 1 To Enable all Users to Authenticate Using Public key Authentication Add the following line in the sshd_config file: PubkeyAuthAllowUsers * Example 2 To Enable User U1 to Authenticate Using Kerberos Authentication Add the following line in the sshd_config file: KerberosAuthAllowUsers U1 You need not set the KerberosAuthDenyUsers configuration directive. Use the configuration directive that has fewer members.
Figure 4 Flowchart Depicting the Usage of the Allow and Deny Configuration Directives Steps by which the sshd daemon uses the Configuration Directives in the Auth Selection Patch Following is the sample process outlined in Figure 4 (page 44): 1. The sshd daemon checks if the PasswordAuthDenyUsers configuration directive is specified in the sshd_config file. 2. If the PasswordAuthDenyUsers configuration directive is specified, then the sshd daemon checks to see if user U1 is specified in the list.
5. 6. 7. If the PasswordAuthAllowUsers configuration directive is not specified, user U1 can authenticate using password authentication. If the PasswordAuthAllowUsers configuration directive is specified, the sshd daemon checks if user U1 is specified in the list. If user U1 is specified in the list, the user can authenticate using password authentication. If user U1 is not specified in the list, then user U1 cannot authenticate using password authentication.
Table 16 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin (continued) EnforceSecureTTY PermitRootLogin Behavior of the scp and sftp Behavior of the sshCommand Commands no-pty option. This option is specified in the authorized_keys file, located in the home directory of the superuser on the server. The default option is pty.
Table 16 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin (continued) EnforceSecureTTY PermitRootLogin Behavior of the scp and sftp Behavior of the sshCommand Commands IMPORTANT: The scp and sftp commands, and forced-commands are mutually exclusive. If forced-command execution is set, only forced-command is executed and no file transfers are allowed. NO Without Password Host login is allowed for all superusers.
Table 17 Difference in Behavior Between telnet and ssh Logins A telnet Login An ssh Login When a superuser tries to login using telnet with a tty that is not listed in the etc/securetty file, telnet continues to prompt the user for a password regardless of whether the user types a valid or invalid password.
5 Configuring HP-UX Secure Shell as a SOCKS Proxy This chapter describes how to configure HP-UX Secure Shell as a SOCKS proxy. This chapter addresses the following topics: • “SOCKS Overview.” • “Implementations of SOCKS.” • “DanteSOCKS.” • “Dynamic Port Forwarding ” (page 50) SOCKS Overview SOCKS is an Internet protocol that enables client-server applications to transparently use the services of a network firewall.
Example 4 Connecting to an External Server Using a DanteSOCKS Proxy Enter the following command to connect to an external server using a DanteSOCKS proxy: # ssh -o "ProxyCommand connect -S proxy-server %h %p" external-server The system is connected to external-server through proxy-server.
Figure 5 Dynamic Port Forwarding Process To establish a connection, an application client calls the SOCKS client, which then makes a connection to the SOCKS server with the following command: # ssh -o "ProxyCommand=/usr/bin/connect -S proxy-server %h %p" external server Prerequisites The SOCKS Client product (connect.c). It is available for download at: http://www.taiyo.co.jp/ ~gotoh/ssh/connect.
Example 6 Connecting to an External Server Using Dynamic Port Forwarding Enter the following command to connect to an external server using dynamic port forwarding: # ssh -o "ProxyCommand external-server connect -S proxy-server: %h %p" %h %p" This establishes a connection to external-server using proxy-server.
6 Enabling HP-UX Secure Shell to Take Advantage of High Speed Networks HP-UX Secure Shell includes a High Performance Enabled SSH/SCP (HPN) patch, which enables HP-UX Secure Shell to take advantage of the large tcp send and receive buffers that are available in high bandwidth networks. In some situations (such as transfers on LANs), the HPN patch can degrade HP-UX Secure Shell performance. In such cases, you can disable the HPN patch by setting HPNDisabled=no in the sshd_config and ssh_config files.
Table 18 Configuration Directives to Configure the HPN Patch (continued) Configuration Directive Location Functionality a local area network. By default HPNDisabled is set to yes. HPNBufferSize=[int] KB Present on client and server Use this configuration directive to set the buffer size when interacting with Secure Shell installations that do not have the HPN patch. The value of this directive ranges from 1 KB to 14 MB. The default value of this directive is 2 MB.
7 Troubleshooting HP-UX Secure Shell This chapter discusses methods to troubleshoot problems with HP-UX Secure Shell connections.
NOTE: If you run sshd in debug mode, sshd allows only one client connection at a time. Additional clients cannot connect to the HP-UX Secure Shell server until the connected client logs out. -e Directs sshd to send the output to the standard console instead of the system log. -p port Specifies the port on which the server listens for connections. The default port is 22. HP-UX Secure Shell allows multiple port options.
debug1: sshd version OpenSSH_4.4p1-hpn [ HP-UX Secure Shell-A.04.40.005 ] debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 1111 on 0.0.0.0. Server listening on 0.0.0.0 port 1111. This level of debug output includes the debug1 and debug2 level messages.
Table 20 lists the information that is displayed for the -v, -vv, and -vvv debug options.
OpenSSH_4.4, OpenSSL 0.9.7l 25 Oct 2006 HP-UX Secure Shell-A.04.40.005, HP-UX Secure Shell version debug1: Reading configuration data /opt/ssh/etc/ssh_config >>>> Specifies the location of the client configuration file. debug1: Connecting to ssh1100 [172.16.1.163] port 22. >>>> Specifies the remote machine and port to which the client is trying to connect. debug1: Connection established. >>>>> Indicates that a TCP connection is established between the client and server.
debug1: channel 0: new [client-session] >>>> Indicates that a new client session is open. debug1: Entering interactive session. >>>> Indicates that the client has entered into an interactive session.
the /var/adm/syslog/syslog.log file. HP-UX Secure Shell error messages are prefixed with sshd in the /var/adm/syslog/syslog.log file. Following is a sample error message in the /var/adm/syslog/syslog.log file: May 12 16:47:39 system_name sshd[2618]: error: PAM: Authentication failed Where: PAM Authentication failed is the error message.
a. b. Navigate to the ITRC Web site at: http://www.hp.com/go/hpsc Enter keywords for the problem in the search text box. The search results page displays solutions available in the ITRC forums, training materials, and manuals. NOTE: 3. 4. The ITRC forums offer peer-to-peer support and are free after registration. Search the HP-UX Secure Shell FAQ available at: http://www.hp.
A Configuration Files and Directives This appendix describes the configuration files that are created upon installing HP-UX Secure Shell. This appendix also describes various configuration directives available in the HP-UX Secure Shell server and client configuration files.
AllowAgentForwarding Use this directive to specify whether the ssh-agent(1) forwarding is permitted. The default is yes. For example: AllowAgentForwarding no AllowGroups Use this directive to enable login only for users whose primary or supplementary group list matches a specified string. The star (*) and question mark (?) characters can be used as wildcards in the strings. Enter the AllowGroups directive followed by a list of group name strings, separated by spaces. Only group names are valid.
The default setting is the .ssh/authorized_keys .ssh/authorized_keys2. For example: #AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 If the home directory of the user being authenticated (%h) is /home/user1, then the AuthorizedKeysFile directive is set to the /home/user1/.ssh/authorized_keys and /home/user1/.ssh/authorized_keys2 files after substitution.
ChallRespAuthDenyUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch. Use this configuration directive to specify which users must be denied authentication using Challenge Response authentication. The default setting is to deny no users. For example: ChallRespAuthDenyUsers Deny none ChrootDirectory Use this directory to specify a path to chroot after authentication.
threshold, the sshd daemon disconnects the client and terminates the session. The client alive messages are sent through an encrypted channel and cannot be spoofed. The default value is three. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients is disconnected after approximately 45 seconds. For example: ClientAliveCountMax 3 NOTE: The ClientAliveCountMax is available for the SSH-2 protocol only.
For example: DenyGroups staff DenyUsers Use this directive to deny login for user names that match one of the specified strings. This directive must be followed by a list of user name strings separated by spaces. You can use the star (*) and question mark (?) characters as wildcards in the strings. NOTE: Only user names are valid; numerical user IDs are not recognized.
ForceCommand Use this directive to force the execution of the command specified by ForceCommand, ignoring any other command specified by the client. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Previous releases of HP-UX Secure Shell specified this option in the authorised_keys file. For example: ForceCommand pwd In the above scenario, the pwd is executed regardless of the command specified by the client.
NOTE: This directive is available for the SSH-2 protocol only. HostbasedAuthAllowUsers This configuration directive has been introduced by the 3rd party Auth Selection patch. Use this configuration directive to specify which users can authenticate using host based authentication. The default setting is to allow all users. For example: HostbasedAuthAllowUsers Allow All HostbasedAuthDenyUsers This configuration directive has been introduced by the 3rd party Auth Selection patch.
IgnoreUserKnownHosts Use this directive to specify whether the sshd daemon ignores the $HOME/.ssh/known_hosts files while authenticating the user using RhostsRSAAuthentication or HostbasedAuthentication. The default setting is no. For example: IgnoreUserKnownHosts no IPQoS Use this directive to specify the IPv4 type-of-service or DSCP class for connections.
KerberosAuthAllowUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch. Use this configuration directive to specify which users can authenticate using GSSAPI authentication. The default setting is to allow all users. For example: KerberosAuthDenyUsers Allow All KerberosAuthDenyUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch.
KeyRegenerationInterval Use this directive to specify the time interval after which the ephemeral server key is automatically regenerated. If the value is 0, the key is never regenerated. The default is 3600 (seconds). For example: KeyRegenerationInterval 1h NOTE: This directive is applicable for the protocol version 1 only. ListenAddress Use this directive to specify the local addresses that the sshd daemon listens on.
match patterns can consist of single entries or comma-separated lists, and can use the wildcard and negation operators. The patterns in an Address criteria can additionally contain addresses to match in CIDR address or masklen format, for example: 192.0.2.0/24 or 3ffe:ffff::/32.
MaxSessions 20 MaxStartups Use this directive to specify the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections are refused until authentication succeeds or the LoginGraceTime expires. The default setting is 10. For example: MaxStartups 10 PasswordAuthAllowUsers This configuration directive has been introduced by the 3rd party Auth Selection patch. Use this configuration directive to specify which users can authenticate using password authentication.
For example: PermitOpen host 3:23 In the above scenario, HP-UX Secure Shell permits port forwardings only to the host specified by the PermitOpen directive. PermitRootLogin Use this directive to enable users to log in as superuser using ssh. Following are the supported arguments: • yes If this option is set to yes, privileged users are allowed to login. • without-password If this option is set to without-password, password authentication is disabled for privileged user.
The default setting is no. For example: PermitUserEnvironment no PidFile Use this directive to specify where to look for the sshd process ID (PID). This file contains the most recent instance of the running sshd daemon if multiple sshd daemons are running. If an sshd daemon is not running, this file is empty. NOTE: This directive is not valid if you start sshd in debug mode. The default value is/var/run/sshd.pid For example: PidFile /var/run/sshd.
PubkeyAuthAllowUsers This configuration directive has been introduced by the 3rd party Auth Selection patch. Use this configuration directive to specify which users can authenticate using Kerberos or local password. The default setting is to allow all users. For example: PubkeyAuthAllowUsers Allow All PubkeyAuthDenyUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch.
The default value is yes. TIP: HP recommends setting this directive to yes, because users can accidentally leave their directories or files world-writable. For example: StrictModes yes Subsystem Use this directive to configure an external subsystem such as a file transfer daemon. Arguments must be a subsystem name and a command (with optional arguments) to execute upon subsystem request. The sftp-server( 8) implements the sftp file transfer subsystem.
key listed in this file, then it might be used for authentication of any user listed in the certificate's principals list. For example: TrustedUserCAKeys /opt/ssh/etc/user-ca-key.pub NOTE: Certificates without principals will not be permitted for authentication using TrustedUserCAKeys. UseDNS Use this directive to specify the order in which the sshd daemon must look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the same IP address.
X11DisplayOffset Use this directive to specify the first display number the sshd daemon must use for X11 forwarding. This prevents the sshd daemon from crashing the X11 servers. The default value is 10. For example: X11DisplayOffset 10 X11Forwarding Use this directive to enable X11 forwarding. When you enable this directive, there is additional exposure to the server, and the client displays whether the sshd proxy display is configured to listen on the wildcard address.
# HostKey for protocol version 1 #HostKey /opt/ssh/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /opt/ssh/etc/ssh_host_rsa_key #HostKey /opt/ssh/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #CountKeyAuthBadLogins no # Auth selection #Hostbased
#KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password".
Host Use this directive to specify restricts on the declarations (up to the next Host keyword) to be only for those hosts that match one of the string pattern given after the keyword. A single * as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (that is, the name is not converted to a canonicalized host name before matching). A pattern entry may be negated by prefixing it with an exclamation mark (!).
The default setting is yes. For example: CheckHostIP yes Cipher Use this directive to specify the cipher to be used to encrypt SSH-1 sessions. TIP: The blowfish, 3des, and des ciphers are supported. The des cipher is supported only in the HP-UX Secure Shell client for interoperability with legacy SSH-1 protocol implementations that do not support 3des. HP does not recommend using des. The default setting is 3des.
The default setting is no. For example: Compression yes CompressionLevel Use this directive to specify the compression level to use if compression is enabled. Valid values are integers between 1 (fast) and 9 (slow, best). The default setting is 6, which is sufficient for most applications. For example: CompressionLevel 9 NOTE: The CompressionLevel directive is available for the SSH-1 protocol only.
ControlPath Use this directive to specify the path to the control socket used for connection sharing. To disable connection sharing, set ControlPath to none. The following substitutions occur for the ControlPath value: %L Specifies the first component of the local host name. %l Specifies the local host name (including domain name). %h Specifies the target host name. %n Specifies the original target host name in the command line. %p Specifies the port. %r Specifies the remote login user name.
The default value is ~. For example: EscapeChar ~ ExitOnForwardFailure Use this directive to specify whether ssh( 1) must terminate the connection if it cannot set up all requested dynamic, local, and remote port forwardings. The values for ExitOnForwardFailure are yes or no. The default value is no. For example: ExitOnForwardFailure no ForwardAgent Use this directive to specify whether the connection to the authentication agent is forwarded to the remote machine.
GatewayPorts Use this directive to specify whether remote hosts are allowed to connect to local forwarded ports. By default, HP-UX Secure Shell binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. Use GatewayPorts to specify that HP-UX Secure Shell must bind local port forwarding to the wildcard address, and allow remote hosts to connect to forwarded ports. The default setting is no.
HostbasedAuthentication no NOTE: This directive is available for the SSH-2 protocol only. HostKeyAlgorithms Use this directive to specify the SSH-2 protocol host key algorithms that the client uses, in the order of preference. The default setting is ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,ssh-dss-cert- v01@openssh.com, ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.
IdentitiesOnly no IPQoS Use this directive to specify the IPv4 type of service or DSCP class for connections. The accepted values are as follows: • af11 • af12 • af13 • af21 • af22 • af23 • af31 • af32 • af33 • af41 • af42 • af43 • cs0 • cs1 • cs2 • cs3 • cs4 • cs5 • cs6 • cs7 • ef • lowdelay • throughput • reliability You can specify more than one arguments, separated by whitespace.
KbdInteractiveDevices Use this directive to specify the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. For example: KbdInteractiveDevices pam KexAlgorithms Use this directive to specify the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
Table 24 LogLevelFacility Values Value Description QUIET Does not log messages. The messages are not displayed on the standard output. FATAL Logs only fatal messages. ERROR Logs all error messages INFO Specifies the information that must be logged VERBOSE Logs detailed messages DEBUG Specifies debugging messages that must not be logged during a normal operation DEBUG1 Specifies a higher degree of debug level than DEBUG.
NumberOfPasswordPrompts 3 PasswordAuthentication Use this directive to specify whether to use password-based authentication. The default setting is yes. For example: PasswordAuthentication yes PermitLocalCommand Use this directive to specify whether to allow local command execution through the LocalCommand option or use the ! Ns command escape sequence in ssh(1). The default is no. For example: PermitLocalCommand yes Port Use this directive to specify the port number to connect to the remote host.
This ProxyCommand string is executed with /bin/sh. In the previous command string, the following substitutions occur: • The host name substitutes for %h • The port number substitutes for %p NOTE: The CheckHostIP directive is not available for connections with a ProxyCommand. PubkeyAuthentication Use this directive to specify whether to use public-key authentication. The default setting is yes. For example: PubkeyAuthentication yes NOTE: This directive is available for the SSH-2 protocol only.
RhostsRSAAuthentication Use this directive to specify whether to use host-based authentication with RSA host authentication. NOTE: This directive is available for the SSH-1 protocol only. The default setting is no. For example: RhostsRSAAuthentication no RSAAuthentication Use this directive to specify whether to use RSA authentication. RSA authentication is attempted only if the identity file exists, or an authentication agent is running. The default setting is yes.
The default setting is 3. If, for example, ServerAliveInternal is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. For example: ServerAliveCountMax 3 NOTE: This directive is available for the SSH-2 protocol only. ServerAliveCountMax is different from TCPKeepAlive. Server alive messages are sent through an encrypted channel and are not spoofable. Messages from the TCPKeepAlive directive are spoofable.
The default value is null. For example: User john UserKnownHostsFile Use this directive to specify one or more files to use for the user host key database, separated by whitespace. The default values are $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2. For example: UserKnownHostsFile /home/john/.ssh/new_known_hosts, $HOME/.ssh/known_hosts2 VerifyHostKeyDNS Use this directive to specify whether or not to verify the remote key using DNS and SSHFP resource records.
# ssh_config(5) man page. # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.
B Sample /etc/krb5.conf File This appendix provides a sample /etc/krb5.conf file. The /etc/krb5.conf Configuration File Following is a sample /etc/krb5.conf Kerberos configuration file /etc/krb5.conf on the HP-UX Secure Shell client system: # # Kerberos configuration # # See krb5.conf(4) for more details # [libdefaults] default_realm = REALM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] REALM = { kdc = hostname.domainname.com:88 admin_server = hostname.