Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2/2008

HP-UX Secure Shell Example (SSH)

HP-UX Secure Shell supports several authentication methods. For this example SSH will be configured

using Kerberos authentication because it integrates into the same existing Unified Login design that

has been shown for CIFS and Secure Internet Services. SSH uses the same secure authentication

protocol as our earlier examples, but provides additional security by encrypting data transfers over

the SSH tunnel. The tunneling feature of SSH has many configuration options, but the purpose of this

example is to show how to integrate SSH into the existing Kerberos Unified Login authentication

configuration from our previous examples. Therefore, only Kerberos-enablement configuration settings

are displayed.

HP-UX SSH is included by default on most HP-UX operating environments. In this example, a tunnel

will be created between our two HP-UX systems, so HP-UX Secure Shell is configured on both systems.

swlist -l product | grep -i secure_shell

Secure_Shell A.05.10.026 HP-UX Secure Shell

NOTE: Like the other HP-UX software products, SSH is available for free at www.software.hp.com.

Configuration

The SSH configuration files are:

 /opt/ssh/etc/sshd_config

 /opt/ssh/etc/ssh_config

Verify that the /opt/ssh/etc/sshd_config file has these settings:

PasswordAuthentication yes

# Kerberos options

KerberosAuthentication yes

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

# GSSAPI options

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

UsePAM yes

Verify that the /opt/ssh/etc/ssh_config file has these settings:

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

Now /etc/pam.conf must be modified to enable SSH. Add the following lines to the authentication

section:

 sshd auth required libpam_hpsec.so.1

 sshd auth sufficient libpam_krb5.so.1

 sshd auth required libpam_unix.so.1 try_first_pass