Manualshelf

HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (5900-3142, June 2013)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
21222324252627282930
Figure 2 Using Kerberos with HP-UX Secure Shell
Secure Shell
Client
Kerberos
Client
Establish a
Secure Tunnel
Authenticate the
Server
Encrypted
Session
Present ST
Mutual
Authentication
Request ST
Request TGT
Return TGT
Using TGT
Return ST
Secure Shell
Server
KDC
Domain
Controller
The following events occur when HP-UX Secure Shell uses Kerberos for authentication:
1. A secure tunnel is established between the HP-UX Secure Shell client and HP-UX Secure Shell
server.
2. The HP-UX Secure Shell server authenticates itself to the client.
3. The Kerberos client on the HP-UX Secure Shell client system sends a message to the KDC and
requests a ticket granting ticket (TGT).
4. If the KDC decrypts the message successfully, it issues a TGT to the client.
5. The Kerberos client uses the TGT to request a session ticket (ST) from the KDC.
6. If the TGT is valid, the KDC issues an ST.
7. The HP-UX Secure Shell client presents the ST to the HP-UX Secure Shell server.
8. If the credentials in the ST are valid, the HP-UX Secure Shell client is authenticated and a
secure session is initiated.
Kerberos Authentication Methods
Following are methods to authenticate HP-UX Secure Shell using Kerberos:
“Password Authentication Using Kerberos (page 29)
“GSS-API Authentication Using Kerberos (page 29)
Password Authentication Using Kerberos
HP-UX Secure Shell uses the PAM Kerberos module in the /etc/pam.conf file for password
authentication. If the authentication management of PAM is pointed to the shared, dynamically
loadable PAM Kerberos library /usr/lib/security/libpam_krb5.1, HP-UX Secure Shell
uses PAM Kerberos for user authentication.
GSS-API Authentication Using Kerberos
HP-UX Secure Shell offers GSS-API-based authentication using Kerberos as the underlying security
service. GSS-API is an API used by applications to access a set of security services such as Kerberos
and Windows NT LAN Manager (NTLM).
For GSS-API authentication to work properly, the client must obtain Kerberos credentials in advance
and must also have a Kerberos configuration file present in the appropriate client directory. When
an HP-UX Secure Shell client connects to an sshd daemon, the HP-UX Secure Shell client presents
Kerberos Authentication 29