Manualshelf

HP-UX Secure Shell Getting Started Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
41424344454647484950
Configuring User-Specific Authentication
You can configure HP-UX Secure Shell to enable different authentication methods for different
users. You can also configure HP-UX Secure Shell to enable users to login as superuser only if
their ttys are listed in the etc/securetty file. To enable these functionalities, HP-UX Secure
Shell includes the Auth Selection patch, and a new configuration directive called
EnforceSecureTTY. For more information on these functions, see the following sections:
The Auth Selection Patch.”
“The EnforceSecureTTY Configuration Directive” (page 47)
The Auth Selection Patch
HP-UX Secure Shell includes a third-party Auth Selection patch, which enables you to configure
different authentication methods for different users. The Auth Selection patch provides a set of
12 configuration directives to implement this feature. These configuration directives can be
broadly classified as Allow and Deny configuration directives. Table 4-5 lists the 12 configuration
directives.
Table 4-5 Configuration Directives Provided by the Auth Selection Patch
Deny Configuration DirectivesAllow Configuration Directives
KerberosAuthDenyUsersKerberosAuthAllowUsers
KerberosorLocalPasswdAuthDenyUsersKerberosorLocalPasswdAuthAllowUsers
PubkeyAuthDenyUsersPubkeyAuthAllowUsers
HostbasedAuthDenyUsersHostbasedAuthAllowUsers
ChallRespAuthDenyUsersChallRespAuthAllowUsers
PasswordAuthDenyUsersPasswordAuthAllowUsers
These directives are similar to the AllowUsers and DenyUsers configuration directives.
However, these new configuration directives allow or deny users permission to authenticate,
using a particular authentication method. By default, all the Allow” configuration directives
enable all users to authenticate and all the “Deny” directives deny no user. The following examples
show how to use these configuration directives:
Example 4-1 To Enable all Users to Authenticate Using Public key Authentication
Add the following line in the sshd_config file:
PubkeyAuthAllowUsers *
Example 4-2 To Enable User U1 to Authenticate Using Kerberos Authentication
Add the following line in the sshd_config file:
KerberosAuthAllowUsers U1
You need not set the KerberosAuthDenyUsers configuration directive. Use the configuration
directive that has fewer members.
Configuring User-Specific Authentication 45