HP CIFS Server and Encrypting Client Connections
HP CIFS Server Configuration
The HP CIFS Server configuration used in this example is the same configuration from the “Integrate
Logins with HP CIFS Server, HP-UX, and Windows 2003R2” whitepaper, located here:
http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf
CIFS Server is using Kerberos for authentication, and a Microsoft Windows 2003R2 KDC and
domain controller.
Secure Shell
HP-UX Secure Shell supports several authentication methods. For this example SSH will be configured
using Kerberos authentication because it integrates into the same existing Unified Login design that
has been shown for CIFS and Secure Internet Services. While SSH uses the same secure
authentication protocol as used in CIFS authentication, it provides additional security by encrypting
data transfers over the SSH tunnel. The tunneling feature of SSH has many configuration options, but
the purpose of this example is to show how to integrate Windows-initiated server-side tunneling.
Therefore, primarily default SSH options will be used.
HP-UX SSH is a separate product that must be installed on the tunneling server. In this example, a
tunnel will be created between our HP-UX CIFS Server and Windows client.
HP-UX Secure Shell (SSH)
# swlist -l product | grep -i secure
Secure_Shell A.05.10.007 HP-UX Secure Shell
NOTE: Like the other HP-UX software products, SSH is available for free at www.software.hp.com.
Configuration
SSH using Kerberos authentication is compatible with the default configuration file settings. The SSH
configuration files are:
/opt/ssh/etc/ssh_config
/opt/ssh/etc/sshd_config
Verify that the /opt/ssh/etc/sshd_config file has these settings:
PasswordAuthentication yes
UsePAM yes
KerberosAuthentication yes
Now /etc/pam.conf must be modified to enable SSH. Add the following lines to the authentication
section:
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass