How to configure Single-Sign-On using OpenSSH on HP/UX

This article provides the steps necessary to configure SSH to allow access using GSSAPI and achieve single-sign-on using OpenSSH

  1. Insall HP Secure Shell (downloadable from a href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA" target=_blank>HP Software Download site)
  2. In order to achieve SSO, OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command
    # /opt/quest/bin/vastool status

    If any errors are returned review and correct.

  3. Configure the SSH server in /opt/ssh/etc/sshd_config
    UsePAM yes
    ChallengeResponseAuthentication yes
    PasswordAuthentication yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
  4. Restart the SSH server.
  5. Configure the SSH client to use GSSAPI. Edit /opt/ssh/etc/ssh_config and add the following lines:
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
  6. Configure Kerberos by creating/editing /etc/krb5.conf (in this example we assume the realm EXAMPLE.COM, with an Active Directory controller at ad.example.com.
    [libdefaults]
    default_realm = EXAMPLE.COM
    default_keytab_name = /etc/opt/quest/vas/host.keytab
    forwardable = true
  7. Run the folloeing command as root
    # /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf
  8. Verify that the SSH server and/or client are functioning by first obtaining a login ticket
    user@client$ klist
    Ticket cache: FILE:/tmp/krb5cc_123abc
    Default principal: user@EXAMPLE.COM
    
    Valid starting     Expires            Service principal
    09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  9. Then connect to the server
    user@client$ ssh server

Single Sign On from one enabled machine should work to another enabled machine.