Manualshelf

HP-UX Secure Shell Getting Started Guide (762810-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
41424344454647484950
11. To verify the connection, run the following /usr/bin/klist command in the HP-UX Secure
Shell client system:
# klist
The following output is displayed:
Ticket cache: /tmp/krb5cc_01
Default principal: root@KRB_MC.REALM
Valid starting Expires Service principal
01/31/06 17:54:40 02/01/06 03:54:40 krbtgt/KRB_MC.REALM
1/31/06 18:20:40 02/01/06 03:54:40 host/sshd_mc.appserverdomain.com@KRB_MC.REALM
This output is different from the previous /usr/bin/klist output. This output shows the
ticket information of the client (1/31/06 18:20:40 02/01/06 03:54:40
host/sshd_mc.appserverdomain.com@KRB_MC.REALM) and indicates that the HP-UX
Secure Shell server has accepted the ticket.
Configuring Keyboard-Interactive authentication
To configure the Keyboard-Interactive authentication, set either of the following directives in the
/opt/ssh/etc/ssh_config configuration file:
ChallengeResponseAuthentication yes
UsePAM yes
NOTE: If the HP-UX Secure Shell client requests the Keyboard-Interactive authentication method
and the underlying PAM module is a simple one-password function, Keyboard-Interactive
authentication works the same way as password authentication.
Configuring Host-Based authentication
This section describes how to configure host-based authentication.
Configuring Host-Based authentication for Non-Superusers
Non-superusers can configure host-based authentication using systemwide configuration or the
user-specific configuration.
Using systemwide configuration
To configure host-based authentication for non-superusers using systemwide configuration, follow
these steps:
1. On the client system, set the following directives in the /opt/ssh/etc/ssh_config file:
RhostsRSAAuthentication yes (For SSH-1)
HostbasedAuthentication yes (For SSH-2)
2. On the client system, set the following directive in the /opt/ssh/etc/ssh_config file:
EnableSSHKeysign yes
3. On the server system, set the following directives in the /opt/ssh/etc/sshd_config file:
RhostsRSAAuthentication yes (For SSH-1)
HostBasedAuthentication yes (For SSH-2)
4. Ensure that the /opt/ssh/etc/shosts.equiv file or the /etc/hosts.equiv file on the
server contains an entry for the fully qualified client host name and the user ID of the client,
as shown in the following example:
client.abc.com localuser
Where:
localuser Specifies the user on the client system who is logging into the remote system.
client Specifies the name of the client system.
abc.com Specifies the client domain.
Configuring Keyboard-Interactive authentication 41