Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
71727374757677787980
NOTE: Privilege separation is the default configuration for HP-UX Secure Shell. You
can turn off privilege separation by setting UsePrivilegeSeparation NO in the
sshd_config file. Because of the potential security risk, turn off privilege separation
only after careful consideration.
4.6.5 HP-UX Secure Shell Authentication
HP-UX Secure Shell supports the following authentication methods:
GSS-API (Kerberos-based client authentication)
Public key authentication
Host-based authentication
Password authentication
When a client connects with a remote sshd daemon, it selects the desired authentication
method (one of the methods listed previously), and either presents the appropriate
credentials as part of the connection request or responds to a prompt sent back by the
server. All authentication methods work in this way.
The server requires the appropriate key, pass phrase, password, or credentials from the
client to establish a successful connection.
You can choose to have the sshd instance support only a subset of the supported
authentication methods based on security requirements.
Although HP-UX Secure Shell supports the authentication methods listed previously, system
administrators can limit the authentication methods offered by an sshd instance, based
on the specific security requirements of their environment. For example, an HP-UX Secure
Shell environment can dictate that all clients must authenticate using the public key or
Kerberos methods. As a result, may disable the remaining methods. The enabling and
disabling of supported authentication methods is through configuration directives specified
in the sshd_config file.
When an ssh client connection request is made, the server first responds with its list of
supported authentication methods. This list represents the authentication methods supported
by the sshd server and the sequence in which these methods will be tried. The client
can omit one or more of those authentication methods. The client can also change the
sequence in which the methods are attempted. You achieve this with a configuration
directive in the client configuration file, /opt/ssh/etc/ssh_config.
The authentication methods supported by HP-UX Secure Shell are summarized in the
following sections.
4.6.5.1 GSS-API
With the Generic Security Service application Programming Interface (GSS-API), a
Kerberos-based client authentication, the client must obtain Kerberos credentials in
advance, and also have a Kerberos configuration file present in the appropriate client
80 Remote Access Security Administration