Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
81828384858687888990
directory. When a client connects with an sshd daemon, it presents its credentials at
connection time. The server matches these credentials with its copy of credentials for this
specific user. Also, the server can optionally establish the legitimacy of the client's host
environment.
For more information, see gssapi(5), kerberos(9) and the HP-UX Kerberos Data Security
documentation:
www.hp.com/go/hpux-security-docs
Click HP-UX Kerberos Data Security Software.
4.6.5.2 Public Key Authentication
For public key authentication, the Secure Shell environment must have the following setup:
Both the client and server must have a key pair. Every ssh client and every sshd
server must generate a key pair for themselves using the ssh-keygen utility.
The client must make its public key known to all sshd servers it needs to communicate
with. Do this by copying every client's public key into a predetermined directory on
every relevant server.
The client must acquire the public key for every server it needs to communicate with.
The client acquires the public keys using the ssh-keyscan utility.
After this setup is completed, ssh clients connecting to sshd servers are authenticated
using public and private keys. For more information on public key cryptography, see
public key cryptography.
HP-UX Secure Shell offers an additional feature for streamlining public key authentication.
For some environments, you might want the convenience of not having to respond to
password prompts all the time. You can eliminate the need to respond to password
prompts by using a combination of the ssh-agent and ssh-add processes, both
running on the client machine. The client registers all its key information with the
ssh-agent process through the ssh-add utility. Then, public key authentication between
client and server is facilitated by ssh-agent without the sshd daemon having to interact
with the client.
4.6.5.3 Host-Based and Public Key Authentication
Host-based and public key authentication is a more secure extension of the public key
authentication method. In addition to having key pairs for both client and server, this
method enables client environments to restrict the servers that they will communicate with.
Implement this restriction by creating a .rhosts file in the client's home directory.
4.6.5.4 Password Authentication
The password authentication method relies on the existence of a single user ID and
password-based login. This login could be based on the user's login specified in /etc/
passwd, or it could be PAM-based.
4.6 Securing Remote Sessions Using HP-UX Secure Shell (SSH) 81