HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (5900-3142, June 2013)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software

its credentials. The HP-UX Secure Shell server matches these credentials against its copy of credentials

for a specific user. The user is also identified with a password. The server can also optionally

establish the legitimacy of the client host environment.

Keyboard-Interactive Authentication

Keyboard-Interactive Authentication, also known as challenge-response authentication, is a generic

authentication method that can be used to implement authentication methods. This authentication

method is similar to the password authentication method, with some key differences. The Password

authentication also uses the Keyboard-Interactive method to show the response when the users are

logged on to the host.

Most PAM modules deal with a single user name and password. The PAM modules prompt the

HP-UX Secure Shell client for a password, and allow or deny the connection based on the response.

However, certain authentication methods require a longer dialogue with the HP-UX Secure Shell

client. Therefore, HP-UX Secure Shell implements the Keyboard-Interactive Authentication method,

which provides a higher degree of security.

Host-Based Authentication

Host-based authentication is different from the other authentication methods. The HP-UX Secure

Shell server does not directly authenticate users based on passwords or private keys. Instead, it

authenticates the client host and trusts the client host system, which trusts the user of that system.

The HP-UX Secure Shell server uses the /etc/shosts.equiv or $HOME/.shosts file in the

server to determine the account names of the client host that are allowed access to the server.

Figure 3 illustrates how a user Casey on host ABC is authenticated by the user Clay on host DEF

using host-based authentication.

Figure 3 Authenticating a Host Using Host-Based Authentication

ABC

Casey@ABC

Casey

Client Server

sshd checks

host ABC

Authenticity of

Casey Established

Does Casey@ABC exist

in /etc/shosts.equiv or

$HOME/.shosts file for Clay?

Clay

Clay@DEF

DEF

Following are the steps HP-UX Secure Shell follows when Clay authenticates Casey using host-based

authentication:

1. The sshd server checks the identity of host ABC, ensuring that ABC is a trusted host. It does

not check the identity of Casey directly.

2. The sshd server on host DEF checks whether the connection is coming from a trusted program

on ABC, installed by the system administrator that cannot lie about the identity of Casey.

If the connection passes both tests, the authenticity of Casey is established.

3. The sshd daemon checks whether the Casey@ABC account exists in the /etc/shosts.equiv

or $HOME/.shosts configuration file for Clay. If the account exists, Casey@ABC is allowed

access to the accounts of Clay.

This method also uses client and server keys for authentication. While public-key authentication

requires individual client users to generate their own key pairs, host-based authentication requires

only the client host system have a key pair.

The server has knowledge of all the public keys for all client host systems from which users can

attempt host-based authentication. In addition, the server can restrict host-based authentication to

specific user accounts in specific client systems.

30 HP-UX Secure Shell Authentication Methods