Manualshelf

HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (5900-3142, June 2013)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
31323334353637383940
1. Ensure that the Kerberos server is installed and configured correctly. For more information
about installing and configuring the Kerberos server, see the Kerberos Server Version 3.1
Administrator’s Guide available at: http://www.hp.com/go/hpux-security-docs
2. Ensure that your name can be authenticated by the Kerberos server.
3. Ensure that the Kerberos client is installed and configured on the HP-UX Secure Shell client
system.
4. To obtain a local ticket, run the following command:
# kinit <user@realm>
5. To connect to the remote server, run the following command from the client system:
# ssh <server_name>
Where:
<server_name> specifies the name of the remote system to which you want to connect.
The default setting in the /opt/ssh/etc/ssh_config and /opt/ssh/etc/sshd_config
files is set to enable Kerberos authentication. Unless you change the /opt/ssh/etc/ssh_conf
and /opt/ssh/etc/sshd_conf files to deny Kerberos authentication, you can log in remotely
without being prompted for passwords.
You can use the following methods to configure HP-UX Secure Shell to use Kerberos authentication:
Password authentication using PAM_KERBEROS. For more information, see “Configuring
Password Authentication Using PAM Kerberos (page 36).
GSS-API authentication using Kerberos. For more information, see “Configuring GSS-API
Authentication (page 37).
Configuring Password Authentication Using PAM Kerberos
To enable password authentication using Kerberos, follow these steps:
1. On the HP-UX Secure Shell server and client systems, set the following directives in the /opt/
ssh/etc/sshd_config file:
PasswordAuthentication yes
UsePAM yes
2. To configure the /etc/pam.conf file for PAM Kerberos in the HP-UX Secure Shell server,
use the /usr/lib/security/libpam_krb5.1 or /usr/lib/security/
libpam_krb5.so.1 library for the login service in the /etc/pam.conf file.
Following is a sample entry for PAM Kerberos in the /etc/pam.conf file for the HP-UX 11.0
and 11i v1 systems (PA-RISC architecture) :
sshd auth required /usr/lib/security/libpam_krb5.1
Following is a sample entry for PAM Kerberos in the /etc/pam.conf file for the HP-UX 11i
v2 system (Itanium architecture) :
sshd auth required /usr/lib/security/$ISA/libpam_krb5.so.1
3. To ensure that the host service principle and the host service key are available in the /etc/
krb5.keytab file, run the following command on the HP-UX Secure Shell server:
# kinit -k
If the host service principle and host service key are not available in the /etc/krb5.keytab
file, run the following command to extract the host service principle:
# /opt/krb5/admin/kadminl
For information on extracting the host service principle, see Step 4 in “Configuring GSS-API
Authentication (page 37).
36 Configuring HP-UX Secure Shell Authentication Methods