How to configure Single-Sign-On using OpenSSH on HP/UX
This article provides the steps necessary to configure SSH to allow access using GSSAPI and achieve single-sign-on using OpenSSH
- Insall HP Secure Shell (downloadable from a href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA" target=_blank>HP Software Download site)
- In order to achieve SSO, OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command
# /opt/quest/bin/vastool status
If any errors are returned review and correct.
- Configure the SSH server in
UsePAM yes ChallengeResponseAuthentication yes PasswordAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes
- Restart the SSH server.
- Configure the SSH client to use GSSAPI. Edit
/opt/ssh/etc/ssh_configand add the following lines:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
- Configure Kerberos by creating/editing
/etc/krb5.conf(in this example we assume the realm EXAMPLE.COM, with an Active Directory controller at ad.example.com.
[libdefaults] default_realm = EXAMPLE.COM default_keytab_name = /etc/opt/quest/vas/host.keytab forwardable = true
- Run the folloeing command as root
# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf
- Verify that the SSH server and/or client are functioning by first obtaining a login ticket
user@client$ klist Ticket cache: FILE:/tmp/krb5cc_123abc Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 09/10/07 18:11:22 09/11/07 04:11:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM
- Then connect to the server
user@client$ ssh server
Single Sign On from one enabled machine should work to another enabled machine.