How to configure Single-Sign-On using OpenSSH on HP/UX

This article provides the steps necessary to configure SSH to allow access using GSSAPI and achieve single-sign-on using OpenSSH

1. Install HP Secure Shell (downloadable from a href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA" target=_blank>HP Software Download site)
2. In order to achieve SSO, OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command

   # /opt/quest/bin/vastool status

   If any errors are returned review and correct.

3. Configure the SSH server in /opt/ssh/etc/sshd_config

   UsePAM yes
   ChallengeResponseAuthentication yes
   PasswordAuthentication yes
   GSSAPIAuthentication yes
   GSSAPICleanupCredentials yes

4. Restart the SSH server.
5. Configure the SSH client to use GSSAPI. Edit /opt/ssh/etc/ssh_config and add the following lines:

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

6. Configure Kerberos by creating/editing /etc/krb5.conf (in this example we assume the realm EXAMPLE.COM, with an Active Directory controller at ad.example.com.

   [libdefaults]
   default_realm = EXAMPLE.COM
   default_keytab_name = /etc/opt/quest/vas/host.keytab
   forwardable = true

7. Run the folloeing command as root

   # /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf

8. Verify that the SSH server and/or client are functioning by first obtaining a login ticket

   user@client$ klist
   Ticket cache: FILE:/tmp/krb5cc_123abc
   Default principal: user@EXAMPLE.COM
   
   Valid starting     Expires            Service principal
   09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/EXAMPLE.COM@EXAMPLE.COM

9. Then connect to the server

   user@client$ ssh server

Single Sign On from one enabled machine should work to another enabled machine.