HP-UX Secure Shell Getting Started Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software

HP-UX 11i v1, HP–UX 11i v2, and HP-UX 11i v3

HP Part Number: 5900-1228

Published: September 2010

Edition: Edition 5

Summary of content (97 pages)

PAGE 1
HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP–UX 11i v2, and HP-UX 11i v3 HP Part Number: 5900-1228 Published: September 2010 Edition: Edition 5
PAGE 2
© Copyright 2010 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents About This Document .....................................................................................................11 Intended Audience................................................................................................................................11 New and Changed Information in This Edition...................................................................................11 Publishing History...........................................................................
PAGE 4
Configuring Kerberos Authentication..................................................................................................38 Configuring Password Authentication Using PAM Kerberos........................................................39 Configuring GSS-API Authentication.............................................................................................40 Configuring Keyboard-Interactive Authentication..............................................................................
PAGE 5
Server Configuration Directives...........................................................................................................67 AcceptEnv........................................................................................................................................67 AllowGroups...................................................................................................................................67 AllowTCPForwarding............................................................
PAGE 6
RSAAuthentication..........................................................................................................................78 StrictModes......................................................................................................................................78 Subsystem........................................................................................................................................78 SyslogFacility............................................................
PAGE 7
ProxyCommand...............................................................................................................................91 PubkeyAuthentication.....................................................................................................................92 RemoteForward...............................................................................................................................92 RhostsRSAAuthentication................................................................
PAGE 8
List of Figures 1-1 3-1 3-2 4-1 5-1 8 HP-UX Secure Shell Components.................................................................................................17 Using Kerberos with HP-UX Secure Shell....................................................................................32 Authenticating a Host Using Host-Based Authentication............................................................33 Flowchart Depicting the Usage of the Allow and Deny Configuration Directives......................
PAGE 9
List of Tables 1 2 1-1 1-2 1-3 1-4 1-5 2-1 3-1 3-2 4-1 4-2 4-3 4-4 4-5 4-6 4-7 6-1 7-1 7-2 7-3 A-1 A-2 A-3 Publishing History Details............................................................................................................11 HP-UX 11i Releases.......................................................................................................................12 Comparative Analysis of SSH-1 and SSH-2 Protocols..................................................................
PAGE 10
List of Examples 4-1 4-2 4-3 5-1 5-2 5-3 5-4 10 To Enable all Users to Authenticate Using Public key Authentication.........................................45 To Enable User U1 to Authenticate Using Kerberos Authentication............................................45 To Enable all Users Except User U1 to Authenticate Using Kerberos Authentication.................46 Connecting to an External Server Using a DanteSOCKS Proxy...................................................
PAGE 11
About This Document This document describes the HP-UX Secure Shell software. It includes information about installing, verifying, configuring, and troubleshooting HP-UX Secure Shell on HP-UX platforms. The latest version of this document is available at: http://www.docs.hp.com The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date.
PAGE 12
Table 1 Publishing History Details (continued) Document Manufacturing Part Number Operating Systems Supported Publication Date T1471-90024 • HP-UX 11.0 • HP-UX 11i v1 • HP-UX 11i v2 June 2006 5991-7493 • HP-UX 11i v1 • HP-UX 11i v2 • HP-UX 11i v3 February 2007 HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier. The uname command with the -r option returns the release identifier. Table 2 shows the available HP-UX releases.
PAGE 13
Typographic Conventions This document uses the following conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the section in the HP-UX Reference. On the Web and on the Instant Information CD, it may be a link to the manpage itself. From the HP-UX command line, you can enter man audit or man 5 audit to view the manpage. See man(1). Book Title The title of a book. On the Web and on the Instant Information CD, it may be a link to the book itself.
PAGE 14
Include the document title, manufacturing part number, and any comments, errors found, in this document. Also, please include what we did right, so we can incorporate it into other documents.
PAGE 15
1 Introduction This chapter provides an overview of HP-UX Secure Shell. HP-UX Secure Shell is a program that enables users to securely access various network services.
PAGE 16
Strong Encryption All communication between the client and the server is encrypted using patent-free encryption algorithms such as Blowfish, Data Encryption Standard (DES), 3DES, Advanced Encryption Standard (AES), and arcfour. Authentication information (for example, passwords) is never sent in clear text over the network. Encryption in conjunction with strong public-key cryptography also provides protection against a number of potential security attacks.
PAGE 17
Session An ongoing connection between an HP-UX Secure Shell client and a server. Key A relatively small amount of data used as a parameter for cryptographic algorithms, such as encryption or message authentication. User Key An asymmetric key used by the client to provide a user identity. Host Key An asymmetric key used by the server to provide a server identity. Session Key A symmetric key that encrypts the communication between the client and server.
PAGE 18
3. 4. The child sshd process inherits the connection socket and authenticates the client application based on the selected authentication method. A successful secure client session is established only upon successful authentication. When a session is created, all subsequent communication occurs directly between the client application and the child sshd process. The client application can now execute remote commands on the server.
PAGE 19
Table 1-2 HP-UX Secure Shell Commands (continued) Command Description Runs On Equivalent Non-Secure Components sshd Secure Shell daemon Server remshd, telnetd scp Secure file copy for client and server Client and Server rcp sftp Secure FTP program Client ftp sftp-server The sftp server subsystem automatically initiated by the sshd daemon.
PAGE 20
Table 1-3 Client Keys and Configuration Files (continued) Name Description Location known_hosts Lists public keys for all sshd $HOME/.ssh/known_hosts daemons on the client subnet. This file is required for all HP-UX Secure Shell operations, regardless of the authentication method used. Multiple client users using the same client system for HP-UX Secure Shell connections must make individual known_hosts files, and place them in their home directories.
PAGE 21
Table 1-4 Server Keys and Configuration Files (continued) Name Description Location authorized_keys List of public keys for all client $HOME/.ssh/authorized_keys users who connect to an instance of the sshd daemon using public-key authentication. This file is necessary only if you are using public-key authentication. One file is created per client user. Host key files The public and private keys for • RSA-1 keys: every sshd instance.
PAGE 22
Table 1-5 Common Client and Server Configuration Files 22 Name Description Location Kerberos files Required for client users who connect to the server using GSS-API authentication. The client user requires the following files: • krb5.conf file – Required for both the client and server. • A ticket file specific to each user. On the client system: • /etc/krb5.conf • /tmp/krb5CC_uid Introduction On the server system: • /etc/krb5.
PAGE 23
2 Installing HP-UX Secure Shell This chapter describes how to install HP-UX Secure Shell. This chapter also lists the prerequisites for installing HP-UX Secure Shell. The chapter addresses the following topics: • • “Prerequisites” (page 23) “Installation and Verification” (page 24) Prerequisites This section lists the prerequisites for installing HP-UX Secure Shell. System Requirements Table 2-1 lists the minimum system requirements for installing HP-UX Secure Shell.
PAGE 24
3. 4. 5. 6. Select maintenance and support for hp products in the left navigation bar. The maintenance and support for hp products page is displayed. Select standard patch bundles - find patch bundles in the patching section. The find bundles page is displayed. Select HP-UX patch bundles in the Bundles for HP-UX section. The standard HP-UX patch bundles index page is displayed. This page lists the release dates for the current patch bundles in the release name section.
PAGE 25
3. 4. 5. 6. 7. 8. 9. 10. Select HP-UX Secure Shell in the product catalog. The HP-UX Secure Shell page is displayed. Select the Receive for Free>> option at the bottom right of the page. Select the appropriate release of HP-UX operating system. Enter the registration information. Read and accept the terms and conditions statements. Click Next>>. The Electronic Delivery Receipt page is displayed. Select the HP-UX Secure Shell depot under Download Software.
PAGE 26
T1471AA A.04.50.012 HP-UX Secure Shell NOTE: The version number displayed in the output varies according to the version of HP-UX Secure Shell you installed.
PAGE 27
3 HP-UX Secure Shell Authentication Methods This chapter describes the authentication methods supported by HP-UX Secure Shell.
PAGE 28
Table 3-1 Advantages and Disadvantages of HP-UX Secure Shell Authentication Methods (continued) Authentication Method Advantages Disadvantages Host-based Simple and easy to manage. Generic Security Service Application Programming Interface (GSS-API) authentication using Kerberos Uses a centrally managed third party Key Large management overhead, including Distribution Center (KDC) server that creating and maintaining tickets. manages tickets for all clients.
PAGE 29
HP-UX Secure Shell verifies the password that you enter against the password in the /etc/ passwd file and allows access only if the passwords match. For more information on the attributes in an entry in the /etc/passwd file, see passwd(4) The /etc/passwd file gets default values such as ABORT_LOGIN_ON_MISSING_HOMEDIR and BOOT_AUTH, BOOT_USERS from the /etc/default/security file. For more information on different default values, see security(4). Using the /etc/pam.
PAGE 30
Public-key authentication uses the following types of keys (referred to as a key pair or an asymmetric key pair): • • Private key – A private key can be used only by its owner and must not be revealed to others. It can be encrypted with a passphrase to give it an extra layer of security. Public key – The public key is placed on the remote server to which users attempt to access. Following are the important features of a key pair: • • The key pair is asymmetric.
PAGE 31
NOTE: The client cannot pick the correct key pair if there are multiple key pairs of the same type in the $HOME/.ssh directory, for instance, three RSA key pairs. HP-UX Secure Shell does not have a configuration directive that can inform the client about multiple key pairs. However, you can specify a key file name in the HP-UX Secure Shell client using the option. For more information on the -i option, see ssh(1).
PAGE 32
Figure 3-1 Using Kerberos with HP-UX Secure Shell Establish a Secure Tunnel Secure Shell Client Authenticate the Server Encrypted Session Secure Shell Server Present ST Mutual Authentication Request TGT Kerberos Client Return TGT Request ST Using TGT KDC Domain Controller Return ST The following events occur when HP-UX Secure Shell uses Kerberos for authentication: 1. 2. 3. 4. 5. 6. 7. 8. A secure tunnel is established between the HP-UX Secure Shell client and HP-UX Secure Shell server.
PAGE 33
Shell client presents its credentials. The HP-UX Secure Shell server matches these credentials against its copy of credentials for a specific user. The user is also identified with a password. The server can also optionally establish the legitimacy of the client host environment. Keyboard-Interactive Authentication Keyboard-Interactive Authentication, also known as challenge-response authentication, is a generic authentication method that can be used to implement authentication methods.
PAGE 34
When an HP-UX Secure Shell user attempts host-based authentication with an HP-UX Secure Shell server, the following events occur: 1. 2. 3. 4. The server checks whether the user and host combination is allowed for host-based authentication in the /etc/shosts.equiv or $HOME/.shosts file. If the user and host combination is allowed, the HP-UX Secure Shell server creates a challenge string, encrypts it with the public key of the client, and sends it to the client.
PAGE 35
4 Configuring HP-UX Secure Shell Authentication Methods This chapter describes how to configure HP-UX Secure Shell authentication methods.
PAGE 36
2. 3. Create a user name in the HP-UX Secure Shell server that the HP-UX Secure Shell client can use to connect to the HP-UX Secure Shell server. To ensure that the sshd daemon is running, run the following command on the server system: $ ps -ef 4. grep sshd To connect to the server, run the following command on the client system: $ ssh -o “PreferredAuthenticationspassword” user@remotehost Where: user Specifies the user name that you will use to connect to the HP-UX Secure Shell server.
PAGE 37
PasswordAuthentication yes 4. Run the following command on the client system: $ ssh Clay Depending on the authentication method that you configure in the /etc/pam.conf file, you are prompted for the relevant information. Configuring Public-Key Authentication To configure public-key authentication, follow these steps: 1. To generate RSA key pairs, run the following command on the client: # ssh-keygen -t [rsa dsa] The following output is displayed: Generating public/private rsa key pair.
PAGE 38
The following output is displayed: The authenticity of host ’remoteuser.remotehost (15.70.189.130)’ can’t be established RSA key fingerprint is 2a:c9:77:ad:d5:d3:ef:c3:1e:12:12:9e:3a:9f:c0:38. Are you sure you want to continue connecting (yes/no)? 5. Enter yes to continue with the connection. The following message is displayed: Warning: Permanently added ’itanika2.india.hp.com’ (RSA) to the list of known hosts. Enter no if you do not want to continue with the connection. 6.
PAGE 39
5. To connect to the remote server, run the following command from the client system: # ssh Where: specifies the name of the remote system to which you want to connect. The default setting in the /opt/ssh/etc/ssh_config and /opt/ssh/etc/sshd_config files is set to enable Kerberos authentication. Unless you change the /opt/ssh/etc/ssh_conf and /opt/ssh/etc/sshd_conf files to deny Kerberos authentication, you can log in remotely without being prompted for passwords.
PAGE 40
“Manual Configuration Of The Kerberos Server” in Kerberos Server Version 3.12 Administrator’s Guide available at: http://www.docs.hp.com/en/internet.html#Kerberos The following Kerberos server daemons are automatically started when you use the /opt/krb5/sbin/krbsetup tool to configure the Kerberos server: • • b.
PAGE 41
their user ID and password. Kerberos Administrators must use a communication method that complies with security policies of their organization. NOTE: The Kerberos administrator can use the following administrative tools to create user information: • • /opt/krb5/admin/kadminl or /opt/krb5/admin/kadminl_ui if the Kerberos administrator is local. /opt/krb5/admin/kadmin or /opt/krb5/admin/kadmin_ui if the Kerberos administrator is remote.
PAGE 42
8. In the HP-UX Secure Shell client system, run the following command to invoke the KDC service to obtain a ticket granting ticket (TGT). # kinit The Kerberos client prompts the Kerberos administrator for the Kerberos password: Password for @krb_mc.realm: Where: specifies the user name. If you enter the correct password, the Kerberos server provides the TGT to the client.
PAGE 43
Configuring Keyboard-Interactive Authentication To configure the Keyboard-Interactive authentication, set either of the following directives in the /opt/ssh/etc/ssh_config configuration file: ChallengeResponseAuthentication yes UsePAM yes NOTE: If the HP-UX Secure Shell client requests the Keyboard-Interactive authentication method and the underlying PAM module is a simple one-password function, Keyboard-Interactive authentication works the same way as password authentication.
PAGE 44
# cat /opt/ssh/etc/ssh_host_dsa_key.pub ssh root@RemoteMachine ’cat >> /opt/ssh/etc/ssh_known_hosts’ Or # cat /opt/ssh/etc/ssh_host_rsa_key.pub ssh root@RemoteMachine ’cat >> /opt/ssh/etc/ssh_known_hosts’ For SSH-1: # cat /opt/ssh/etc/ssh_host_key.pub ssh root@RemoteMachine ’cat >> /opt/ssh/etc/ssh_known_hosts’ You can view the /opt/ssh/etc/ssh_known_hosts file on the server and verify that the public host key of the client is added to this file. 6.
PAGE 45
Configuring User-Specific Authentication You can configure HP-UX Secure Shell to enable different authentication methods for different users. You can also configure HP-UX Secure Shell to enable users to login as superuser only if their ttys are listed in the etc/securetty file. To enable these functionalities, HP-UX Secure Shell includes the Auth Selection patch, and a new configuration directive called EnforceSecureTTY.
PAGE 46
Example 4-3 To Enable all Users Except User U1 to Authenticate Using Kerberos Authentication Add the following line in the sshd_config file: KerberosAuthDenyUsers U1 NOTE: These configuration directives are not specified in the default sshd_config file. To change the default setting of these configuration directives, you must add the directive in the sshd_config file and assign a value to it.
PAGE 47
Steps by Which the sshd Daemon Uses the Configuration Directives in the Auth Selection Patch Following is the sample process outlined in Figure 4-1 (page 46): 1. 2. 3. 4. 5. 6. 7. The sshd daemon checks if the PasswordAuthDenyUsers configuration directive is specified in the sshd_config file. If the PasswordAuthDenyUsers configuration directive is specified, then the sshd daemon checks to see if user U1 is specified in the list.
PAGE 48
Table 4-6 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin Behavior of the scp and sftp Behavior of the sshCommand Commands EnforceSecureTTY PermitRootLogin NO NO Host login1 and host command2 executions are not allowed for all users Superusers cannot execute the scp and sftp3 commands, regardless of the settings in the etc/securetty file.
PAGE 49
Table 4-6 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin (continued) Behavior of the scp and sftp Behavior of the sshCommand Commands EnforceSecureTTY PermitRootLogin YES Forced-Command-only Host login and host command executions are not allowed for all superusers, regardless of the settings in the etc/securetty file.
PAGE 50
Table 4-6 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin (continued) EnforceSecureTTY PermitRootLogin YES Without Password Behavior of the scp and sftp Behavior of the sshCommand Commands Host login is allowed only for superusers whose ptys are listed in the etc/ securetty file. These superusers must authenticate with a method other than password authentication. This additional requirement is not related to EnforceSecureTTY.
PAGE 51
Table 4-6 Behavior of the ssh, scp, and sftp commands with Different Combinations of EnforceSecureTTY and PermitRootLogin (continued) EnforceSecureTTY PermitRootLogin NO Without Password Behavior of the scp and sftp Behavior of the sshCommand Commands Host login is allowed for all superusers. Superusers must authenticate with a method other than password authentication. However this requirement is not related to EnforceSecureTTY.
PAGE 52
Behavioral Differences Between remsh and ssh Logins Because of EnforceSecureTTY The addition of the EnforceSecureTTY configuration directive modifies the behavior of the ssh login, causing it to differ from a remsh login. Both remsh and ssh logins allow the forced-command option for superusers logging in with a tty not listed in the etc/securetty file. However, in a remsh login, the settings in the etc/securetty file are enforced only if a user logs in using password authentication.
PAGE 53
5 Configuring HP-UX Secure Shell as a SOCKS Proxy This chapter describes how to configure HP-UX Secure Shell as a SOCKS proxy. This chapter addresses the following topics: • “SOCKS Overview.” • “Implementations of SOCKS.” • “DanteSOCKS.” • “Dynamic Port Forwarding ” (page 54) SOCKS Overview SOCKS is an Internet protocol that enables client-server applications to transparently use the services of a network firewall.
PAGE 54
Example 5-1 Connecting to an External Server Using a DanteSOCKS Proxy Enter the following command to connect to an external server using a DanteSOCKS proxy: # ssh -o "ProxyCommand connect -S proxy-server %h %p" external-server The system is connected to external-server through proxy-server.
PAGE 55
Figure 5-1 Dynamic Port Forwarding Process To establish a connection, an application client calls the SOCKS client, which then makes a connection to the SOCKS server with the following command: # ssh -o "ProxyCommand=/usr/bin/connect -S proxy-server %h %p" external server Prerequisites The SOCKS Client product (connect). It is available for download at: http://zippo.taiyo.co.jp/ ~gotoh/ssh/connect.
PAGE 56
Example 5-3 Connecting to an External Server Using Dynamic Port Forwarding Enter the following command to connect to an external server using dynamic port forwarding: # ssh -o "ProxyCommand external-server connect -S proxy-server: %h %p" %h %p" This establishes a connection to external-server using proxy-server.
PAGE 57
6 Enabling HP-UX Secure Shell to Take Advantage of High Speed Networks HP-UX Secure Shell includes a High Performance Enabled SSH/SCP (HPN) patch, which enables HP-UX Secure Shell to take advantage of the large tcp send and receive buffers that are available in high bandwidth networks. In some situations (such as transfers on LANs), the HPN patch can degrade HP-UX Secure Shell performance. In such cases, you can disable the HPN patch by setting HPNDisabled=no in the sshd_config and ssh_config files.
PAGE 58
Table 6-1 Configuration Directives to Configure the HPN Patch (continued) Configuration Directive Location Functionality NoneSwitch=[yes/no] Present on client Use this configuration directive to switch the encryption cipher to the None cipher after the user is authenticated. You must enable NoneEnabled on the client and server before enabling NoneSwitch. The default value of this directive is no. NOTE: You cannot use the None cipher in interactive Shell sessions.
PAGE 59
7 Troubleshooting HP-UX Secure Shell This chapter discusses methods to troubleshoot problems with HP-UX Secure Shell connections.
PAGE 60
Specifies debug mode. The server sends verbose debug output to the system log and does not put itself in the background. The server does not fork and processes only one connection at a time. This option is intended only for debugging the server. -d NOTE: If you run sshd in debug mode, sshd allows only one client connection at a time. Additional clients cannot connect to the HP-UX Secure Shell server until the connected client logs out.
PAGE 61
debug1: Bind to port 1111 on 0.0.0.0. Server listening on 0.0.0.0 port 1111. • Following is the output for the -dd command-line option: debug2: load_server_config: filename /opt/ssh/etc/sshd_config debug2: load_server_config: done config len = 270 debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 270 debug1: sshd version OpenSSH_4.4p1-hpn [ HP-UX Secure Shell-A.04.40.
PAGE 62
specifies the file to which the error messages are redirected. You can use this file to analyze the problem or to send the file to HP support if you are unable to solve the problem. You can use multiple -v options to increase the amount and detail of the debug messages. NOTE: You can use a maximum of three -v options to generate different levels of debug messages. Table 7-2 lists the information that is displayed for the -v, -vv, and -vvv debug options.
PAGE 63
NOTE: Annotations are highlighted in bold and marked with >>>>. HP-UX Secure Shell does not display these annotations on the console as part of the debug output. Annotations included here are for your information only. When an HP-UX Secure Shell client connects to the HP-UX Secure Shell server in verbose mode, the following output is displayed: # ssh -v OpenSSH_4.4, OpenSSL 0.9.7l 25 Oct 2006 HP-UX Secure Shell-A.04.40.
PAGE 64
. debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive >>>> Indicates that public-key authentication has failed and the client is trying the next authentication on the list. Password: >>>> Indicates the password prompt in which you must enter your HP-UX Secure Shell password. debug1: Authentication succeeded (keyboard-interactive). >>>> Indicates that the authentication succeeded.
PAGE 65
IMPORTANT: Be cautious when using debug levels higher than debug1. HP-UX Secure Shell displays sensitive information at higher levels, such as the private keys of the user or server. Logging Error and Debug Messages HP-UX Secure Shell logs error messages in different locations depending on how debugging is configured. Following are the different locations in which HP-UX Secure Shell logs error and debug messages: • The /var/adm/syslog/syslog.
PAGE 66
Reporting Problems If you are unable to troubleshoot HP-UX Secure Shell yourself, follow these steps: 1. Read the release notes for HP-UX Secure Shell to see if the problem is known. If it is, follow the instructions offered to solve the problem. The release notes for HP-UX Secure Shell is available at: http://www.docs.hp.com/en/ internet.html#Secure%20Shell 2. Access http://www.2itrc.hp.
PAGE 67
A Configuration Files and Directives This appendix describes the configuration files that are created upon installing HP-UX Secure Shell. This appendix also describes various configuration directives available in the HP-UX Secure Shell server and client configuration files.
PAGE 68
NOTE: Numerical group IDs are not recognized. For example: AllowGroups root, staff, users AllowTCPForwarding Use this directive to enable or disable TCP forwarding. The default setting is YES. NOTE: To improve security, disable TCP forwarding and deny users shell access. For example: AllowTcpForwarding YES AuthorizedKeysFile Use this directive to specify the file to be used for public-key authentication. The AuthorizedKeysFile can contain tokens in a %T form, where T is the token.
PAGE 69
ChallRespAuthDenyUsers Deny none ChrootDirectory Use this directory to specify a path tochroot to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. The default setting is not to chroot. For example: ChrootDirectory not to chroot ClientAliveCountMax The ClientAliveCountMax directive enables a client or a server to detect an inactive connection.
PAGE 70
NOTE: This configuration directive is specific to HP-UX Secure Shell, and is not available in OpenSSH base code. DenyGroups Use this directive to deny login for users whose primary group or supplementary group list matches one of the specified strings. This directive must be followed by a list of group name strings separated by spaces. You can use the star (*) and question mark (?) characters as wildcards in the strings. NOTE: Only group names are valid; numerical group IDs are not recognized.
PAGE 71
GatewayPorts Use this directive to ensure that the sshd daemon enables remote port forwardings to bind to non-loopback IP addresses, and enables other hosts to connect. Use one of the following arguments with this directive: Forces remote port forwardings to be available to the local host only. no Forces remote port forwardings to bind to the wildcard addresses. YES Enables the client to select the address to which the port must be clientspecified forwarded.
PAGE 72
For example: HostbasedAuthAllowUsers Allow All HostbasedAuthDenyUsers This configuration directive has been introduced by the 3rd party Auth Selection patch. Use this configuration directive to specify which users cannot authenticate using host based authentication. The default setting is to deny no users. For example: HostBasedAuthDenyUsers Deny None HostbasedAuthentication Use this directive to specify whether host-based authentication combined with successful public-key authentication is enabled.
PAGE 73
IgnoreUserKnownHosts no KerberosAuthAllowUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch. Use this configuration directive to specify which users can authenticate using GSSAPI authentication. The default setting is to allow all users. For example: KerberosAuthDenyUsers Allow All KerberosAuthDenyUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch.
PAGE 74
If a port is not specified, the sshd daemon listens on the specified address and all prior specified port options. You can specify multiple ListenAddress options. Port directives must precede ListenAddress directives for non-port-qualified addresses. The default setting is 0.0.0.0 (listen on all local addresses). For example: ListenAddress 0.0.0.0 LoginGraceTime Use this directive to specify the period of time that sshd waits for users to log in.
PAGE 75
MatchUser xxxx X11DisplayOffset 20 In the above configuration, the criteria User is given as the argument for Match. The X11DisplayOffset option is set below it. This directive overrides the global section of the sshd_config file for User xxxx. MaxAuthTries Use this directive to specify the maximum number of authentication attempts that are permitted per connection. The default value is 6.
PAGE 76
PermitOpen Use this directive to specify the destinations to which TCP port forwarding is permitted. Previous releases of HP-UX Secure Shell specified this option in the authorised_keys file. For example: PermitOpen host 3:23 In the above scenario, HP-UX Secure Shell permits port forwardings only to the host specified by the PermitOpen directive. PermitRootLogin Use this directive to enable users to log in as superuser using ssh.
PAGE 77
PidFile Use this directive to specify where to look for the sshd process ID (PID). This file contains the most recent instance of the running sshd daemon if multiple sshd daemons are running. If an sshd daemon is not running, this file is empty. NOTE: This directive is not valid if you start sshd in debug mode. The default value is/var/run/sshd.pid For example: PidFile /var/run/sshd.pid Port Use this directive to ensure that the sshd daemon listens on a particular port.
PAGE 78
PubkeyAuthAllowUsers Allow All PubkeyAuthDenyUsers This configuration directive has been introduced by the 3rd party “Auth Selection” patch. Use this configuration directive to specify which users cannot authenticate using Kerberos or local password authentication. The default setting of this directive is to deny no users. For example: PubkeyAuthDenyUsers Deny none PubkeyAuthentication Use this directive to enable public-key authentication.
PAGE 79
internal-sftp implements an in-process sftp server. This may simplify configurations using the ChrootDirectory directive to force a different file system root on clients. By default no subsystems are defined. NOTE: The subsystem directive applies to SSH protocol version-2 only. SyslogFacility Use this directive to specify the facility code to be used when logging messages from the sshd daemon. The default setting is AUTH. Table A-2 lists the valid values for the SyslogFacility directive.
PAGE 80
For example: UseLogin no UsePAM Use this directive to enable PAM authentication and session setup. NOTE: If PasswordAuthentication and UsePAM are set to YES, the user gets three chances to enter the correct password after which a new prompt is displayed indicating that ssh is using the password authentication method. The default setting is YES. TIP: HP recommends that you disable password authentication when enabling the UsePAM directive.
PAGE 81
localhost. This prevents remote hosts from connecting to the proxy display. However, some older X11 clients cannot function with this configuration. Set the X11UseLocalhost directive to no to bind the forwarding server to the wildcard address. The default setting is no. For example: X11useLocalhost no Sample HP-UX Secure Shell Server Configuration File Following is a sample HP-UX Secure Shell server configuration file: # $OpenBSD: sshd_config,v 1.
PAGE 82
#ChallRespAuthDenyUsers [skey] user1 user2 ... #ChallRespAuthAllowUsers [securid] user1 user2 ... #ChallRespAuthDenyUsers [securid] user1 user2 ... #GSSAPIAuthAllowUsers #GSSAPIAuthDenyUsers #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.
PAGE 83
#tcp receive buffer polling. enable in autotuning kernels #TcpRcvBufPoll no # allow the use of the none cipher #NoneEnabled no # disable hpn performance boosts.
PAGE 84
NOTE: The BindAddress directive does not work if the UsePrivilegedPort directive is set to YES. ChallengeResponseAuthentication Use this directive to specify whether to use challenge-response (keyboard-interactive) authentication. The default setting is YES. For example: ChallengeResponseAuthentication yes CheckHostIP Use this directive to specify whether to check the host IP address in the known_hosts file. This enables HP-UX Secure Shell to detect whether a host key was modified because of DNS spoofing.
PAGE 85
ClearAllForwardings Use this directive to specify that all local, remote, and dynamic port forwardings in the configuration files or on the command line be cleared. This option can be used to clear port forwarding set in configuration files. It is automatically set by the scp and sftp commands. The default is setting no. For example: ClearAllForwardings yes Compression Use this directive to specify whether to use compression. Setting this directive to YES can improve speed over slower lines.
PAGE 86
HP-UX Secure Shell listens for control connections, but it requires confirmation using the SSH_ASKPASS program before these connections are accepted. For more information, see ssh-add(1). The default setting is no. For example: ask ControlMaster no ControlPath Use this directive to specify the path to the control socket used for connection sharing. To disable connection sharing, set ControlPath to none. The following substitutions occur for the ControlPath value: %h Specifies the target host name.
PAGE 87
ExitOnForwardFailure Use this directive to specify whether ssh( 1) must terminate the connection if it cannot set up all requested dynamic, local, and remote port forwardings. The values for ExitOnForwardFailure are yes or no. The default value is no. For example: ExitOnForwardFailure no ForwardAgent Use this directive to specify whether the connection to the authentication agent is forwarded to the remote machine. NOTE: Enable agent forwarding with caution.
PAGE 88
GlobalKnownHostsFile Use this directive to specify a file to be used for the global host key database, instead of the /opt/ ssh/etc/ssh_known_hosts file. The default setting is /opt/ssh/etc/ssh_known_hosts. For example: GlobalKnownHostsFile /opt/new_known_hosts GSSAPIAuthentication Use this directive to specify whether user authentication based on GSS-API is enabled. The default setting is no. For example: GSSAPIAuthentication no NOTE: This directive is available for the SSH-2 protocol only.
PAGE 89
HostKeyAlgorithms ssh-dsa HostKeyAlias Use this directive to specify an alias that must be used, instead of the real host name, when looking up or saving the host key in the host key database files. This directive can also be used to tunnel secure connections or for multiple servers running on a single host. This directive does not have a default value. For example: HostKeyAlias server01 HostName Use this directive to specify the real host name to log in to.
PAGE 90
LocalForward localhost:5001 remotehost:23 LogLevel Use this directive to specify the verbosity level used when logging messages from ssh. Table A-3 lists the valid values for the LogLevel directive. Table A-3 LogLevelFacility Values Value Description QUIET Does not log messages. The messages are not displayed on the standard output. FATAL Logs only fatal messages.
PAGE 91
NumberOfPasswordPrompts Use this directive to specify the number of times HP-UX Secure Shell prompts before it stops trying to authenticate the users. The default setting is 3. For example: NumberOfPasswordPrompts 3 PasswordAuthentication Use this directive to specify whether to use password-based authentication. The default setting is YES. For example: PasswordAuthentication yes Port Use this directive to specify the port number to connect to the remote host. The default setting is 22.
PAGE 92
• • The host name substitutes for %h The port number substitutes for %p NOTE: The CheckHostIP directive is not available for connections with a ProxyCommand. PubkeyAuthentication Use this directive to specify whether to use public-key authentication. The default setting is YES. For example: PubkeyAuthentication yes NOTE: This directive is available for the SSH-2 protocol only.
PAGE 93
The default is not to send any environment variables. For example: SendEnv DISPLAY Where: DISPLAY is set as follows on the HP-UX Secure Shell client system: $ export DISPLAY=john.users.com:0.0 NOTE: Environment passing is available for the SSH-2 protocol only. The server must also support environment passing, and it must be configured to accept environment variables. For more information on configuring the server, see “AcceptEnv” (page 67).
PAGE 94
HP-UX Secure Shell adds the new host keys to the user’s known_hosts file after confirming with the user. HP-UX Secure Shell then does not connect to hosts with changed host key. The host keys of known hosts are verified automatically. The default setting is ask. For example: ask StrictHostKeyChecking ask TCPKeepAlive Use this directive to specify whether the client must send TCP keep alive messages to the server.
PAGE 95
VerifyHostKeyDNS no NOTE: This option is available for the SSH-2 protocol only. XAuthLocation Use this directive to specify the full path name of the xauth utility. The default setting is /usr/bin/X11/xauth. For example: XAuthLocation /usr/bin/X11/xauth Sample HP-UX Secure Shell Client Configuration File Following is a sample HP-UX Secure Shell client configuration file: # $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ # # # # This is the ssh client system-wide configuration file.
PAGE 96
PAGE 97
B Sample /etc/krb5.conf File This appendix provides a sample /etc/krb5.conf file. The /etc/krb5.conf Configuration File Following is a sample /etc/krb5.conf Kerberos configuration file /etc/krb5.conf on the HP-UX Secure Shell client system: # # Kerberos configuration # # See krb5.conf(4) for more details # [libdefaults] default_realm = REALM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] REALM = { kdc = hostname.domainname.com:88 admin_server = hostname.