How-To Docs

Using vendor SSH tools with Quest Authentication Services

We recommend the use of ether your OS vendor's SSH tools, or the latest version of the OpenSSH tools.
This document will help you find which vendor-supplied tools work with Quest Authentication Services, and how to configure them.

The table below shows which SSH tools we have tested with Quest Authentication Services, and whether we found them capable of:

Operating system OS version SSH software Active Directory
login
Active Directory
single sign-on
Solaris 2.6 SUNWpssh yes no
Solaris 7 OpenSSH 3.8.1p1 yes no
Solaris 8 OpenSSH 3.4p7 yes no
Solaris 9 Sun_SSH 1.0.1 yes no
Solaris 10 Sun_SSH 1.1 yes yes+
AIX 4.3.3 n/a no no
AIX 5.1 n/a no no
AIX 5.2 OpenSSH 4.3p2 yes yes
AIX 5.3+ OpenSSH 4.3p2 yes yes
RedHat Linux 7.3 OpenSSH-3.1p1 yes no
RedHat Linux 8.0 OpenSSH-3.4p1 yes no
RedHat Linux 9.0 OpenSSH-3.5p1 yes no
RedHat Enterprise 2.1 OpenSSH-3.61p1 yes no
RedHat Enterprise 3.0 OpenSSH-3.6.1p2 yes no
RedHat Enterprise 4.0 OpenSSH-3.9p1 yes yes
RedHat Enterprise 5.0 OpenSSH-4.3p2 yes yes
CentOS 2 OpenSSH-3.1p1 yes no
CentOS 3 OpenSSH-3.6.1p2 yes no
CentOS 4 OpenSSH-3.9p1 yes yes
Fedora Core 1 OpenSSH-3.6.1p2 yes no
Fedora Core 2 OpenSSH-3.6.1p2 yes no
Fedora Core 3 OpenSSH-3.9p1 yes yes
Fedora Core 4 OpenSSH-4.0p1 yes yes
Fedora Core 5 OpenSSH-4.3p2 yes yes
SuSE Desktop 8.0 OpenSSH-3.0.2p1 yes no
SuSE Desktop 8.1 OpenSSH-3.4p1 yes no
SuSE Desktop 8.2 OpenSSH-3.5p1 yes no
SuSE Desktop 9.0 OpenSSH-3.7.1p2 yes no
SuSE Desktop 9.1 OpenSSH-3.8p1 yes yes
SuSE Desktop 9.2 OpenSSH-3.9p1 yes yes
SuSE Desktop 9.3 OpenSSH-3.9p1 yes yes
SuSE OpenSuSE 10 OpenSSH-4.1p1 yes yes
SuSE OpenSuSE 10.1 OpenSSH-4.2p1 yes yes
SuSE Enterprise Server 8 OpenSSH-3.4p1 yes no
SuSE Enterprise Server 9 OpenSSH-4.1p1 yes yes
SuSE Enterprise Server 10 OpenSSH-4.2p1 yes yes
Debian/Ubuntu Linux 3.1 OpenSSH-3.4p1 yes yes+
Tru64 5.1 Secure Shell 3.2.3 no no
IRIX 6.5.22 OpenSSH 3.6.1p2 yes no
VMware ESX 2.1.3 OpenSSH-3.6.1p2 yes no
VMware ESX 2.5.0 OpenSSH-3.5p1 yes no
VMware ESX 2.5.1 OpenSSH-3.5p1 yes no
VMware ESX 2.5.2 OpenSSH-3.5p1 yes no
VMware ESX 2.5.3 OpenSSH-3.6.1p2 yes no
VMware ESX 3 OpenSSH-3.6.1p2 yes no
VMware ESX 3.0.1 OpenSSH-3.6.1p2 yes no
HP-UX 11.00 Secure Shell A.03.10 yes no
HP-UX 11.11 Secure Shell A.04.50.009 yes no
HP-UX 11.22 Secure Shell A.04.50.010 yes yes
HP-UX 11.23 Secure Shell A.04.50.011 yes yes
Mac OS X 10.4 OpenSSH 4.5p1 yes yes+

Note: yes+ indicates GSSAPI key exchange support, which removes the need for 'known_hosts'.

Description of SSH settings that affect Quest's Active Directory Login and Single Sign-on

PAMAuthenticationViaKbdInt
Specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules, but it will allow password authentication regardless of whether PasswordAuthentication is enabled.

UsePAM
Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.
SshPAMClientPath
Specifies the path to the ssh-pam-client file.
ChallengeResponseAutentication
Specifies whether challenge-response authentication is allowed.
PasswordAuthentication
Specifies whether password authentication is allowed.
PGSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.
GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. Note that this option applies to proto-col version 2 only.
GSSAPIDelegateCredentials
Forward (delegate) credentials to the server. Note that this option applies to protocol version 2 only.

Configure Active Directory login on Solaris

Solaris 2.6, 7, 8, 9 and 10 all support Active Directoy login with PAM. PAM configuration normally happens automatically when Quest Authentication Services joins the host to an Active Directory domain. Check that the file /etc/pam.conf contains a line similar to this:

other account  sufficient  /opt/quest/lib/security/$ISA/pam_vas3.so

If not, run the following command as root:

# /opt/quest/bin/vastool configure pam sshd

Next, make sure the sshd has correct configuration to work with Active Directory.

Depending on the version of Solaris, for Solaris 2.6, 9 and 10, followings should be set in /etc/ssh/sshd_config.

PAMAuthenticationViaKbdInt yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

On Solaris 7 and 8,  followings should be set in /etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Restart sshd.

Configure Active Directory Single Sign-on on Solaris 10

Solaris 10 is distributed with Sun_SSH version 1.1, which supports the gssapi-keyex and gssapi-with-mic authentication methods.

The following packages, provided by Sun on the Solaris installation media, should be installed:

# pkginfo | grep SUNWssh
system      SUNWsshcu                        SSH Common, (Usr)
system      SUNWsshdr                        SSH Server, (Root)
system      SUNWsshdu                        SSH Server, (Usr)
system      SUNWsshr                         SSH Client and utilities, (Root)
system      SUNWsshu                         SSH Client and utilities, (Usr)

# pkginfo | grep SUNWkrb
system      SUNWkrbr                         Kerberos version 5 support (Root)
system      SUNWkrbu                         Kerberos version 5 support (Usr)

SSH server configuration

No changes are required to /etc/ssh/ssh_config or /etc/ssh/sshd_config. GSSAPI authentication is enabled by default.

PAM configuration

PAM configuration normally happens automatically when Quest Authentication Services joins the host to an Active Directory domain. Check that the file /etc/pam.conf contains a line similar to this:

other account  sufficient  /opt/quest/lib/security/$ISA/pam_vas3.so

If not, run the following command as root:

# /opt/quest/bin/vastool configure pam sshd sshd-gssapi

See the bottom of the sshd(1M) manual page for more information on the PAM service names used by SunSSH.

Kerberos configuration

The file /etc/krb5/krb5.conf should contain following definitions, depending on your realm (COMPANY.COM, here):

[libdefaults]
    default_realm = COMPANY.COM
    default_keytab_name = /etc/opt/quest/vas/host.keytab

[appdefaults]
    kinit = {
	    renewable = true
	    forwardable= true
    }

You should also generate a [realms] section by running the following command as root:

# vastool -u host/ info toconf /etc/krb5/krb5.conf

Verifying

On the server, check that that the SSH service is enabled and running:

server# svcs ssh
STATE          STIME    FMRI
disabled       Jul_12   svc:/network/ssh:default

As it's not running, start it with the following command

server# svcadm enable ssh

On the client, check that the user has a credential cache with a valid TGT

user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/07 17:11:25  09/11/07 03:11:25  krbtgt/COMPANY.COM@COMPANY.COM

Then, try connecting to the server:

user@client$ ssh server.company.com
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
user@server$ 

Configure Active Directory login on AIX

After installing Quest Authentication Services, AIX OpenSSL and AIX OpenSSH package on AIX 5.2 or 5.3, make sure followings are set in /etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Restart the SSH server process with these commands:

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

Configure Active Directory Single Sign-on on AIX

IBM provides a separate Kerberos package for AIX 5.2 and later, and also provides support for an open source OpenSSH package.

Install Kerberos

Check to see if Kerberos is already installed:

# lslpp -l | grep krb5
  krb5.client.rte            1.4.0.0  COMMITTED  Network Authentication Service
  krb5.client.samples        1.4.0.0  COMMITTED  Network Authentication Service
  krb5.doc.en_US.html        1.4.0.0  COMMITTED  Network Auth Service HTML
  krb5.doc.en_US.pdf         1.4.0.0  COMMITTED  Network Auth Service PDF
  krb5.lic                   1.4.0.0  COMMITTED  Network Authentication Service
  krb5.server.rte            1.4.0.0  COMMITTED  Network Authentication Service
  krb5.toolkit.adt           1.4.0.0  COMMITTED  Network Authentication Service
  krb5.client.rte            1.4.0.0  COMMITTED  Network Authentication Service
  krb5.server.rte            1.4.0.0  COMMITTED  Network Authentication Service

If these packages are not installed, insert the expansion pack CD and install with the following command:

# geninstall -d /dev/cd0 krb5.client.rte krb5.server.rte

Install OpenSSL

AIX OpenSSH requires the OpenSSL package to be installed. Check if OpenSSL is installed using this command

# rpm -q openssl
openssl-0.9.7l-1

If the rpm tool is not installed, it can be obtained from IBM's AIX Toolbox for Linux Applications. Follow the instructions there. OpenSSL can be found in the same place, follow the "Cryptographic Content" link (you will need to have registered with IBM).

Install OpenSSH

OpenSSH packages for AIX can be found either on the Expansion pack CDs or from SourceForge:

AIX Version Location OpenSSH version
AIX 5.2 Expansion Pack CD OpenSSH 3.8.1.p1
AIX 5.3 Expansion Pack CD OpenSSH 3.8.1.p1
AIX 5.1
AIX 5.2
AIX 5.3
SourceForge OpenSSH 4.3p2

Only versions of OpenSSH 3.7 or later supports Kerberos and GSSAPI. We tested OpenSSH 4.3p2 for AIX from SourceForge.

Configure Kerberos

You can run the script /usr/krb5/sbin/config.krb5 to configure Kerberos on AIX:

# /usr/krb5/sbin/config.krb5 -C -r COMPANY.COM \
  -d company.com \
  -l ad.company.com

where ad.company.com is a Active Directory controller. Next, run this command to fill in domain controller information detected by Quest Authentication Services:

# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5/krb5.conf

Finally, edit the file /etc/krb5/krb5.conf so that the default_keytab_name parameter is set as follows:

[libdefaults]
  default_keytab_name = /etc/opt/quest/vas/host.keytab

Configure the SSH server

If your AIX host is to be used as an SSH server, you must edit /etc/ssh/sshd_config to contain the following directives:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the SSH server process with these commands:

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

Configure the SSH client

If your AIX host is to be an SSH client, edit the file /etc/ssh/ssh_config to contain:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Verification

Verify that the SSH server and/or client are functioning by first obtaining a login ticket:

user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/COMPANY.COM@COMPANY.COM

Then, connect to the server

user@client$ ssh server
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.2!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
user@server$ 

NOTE: By default, AIX Kerberos looks for credential caches in /var/krb5/security/creds/krb5cc_%{uid}. However, OpenSSH stores cached tickets at /tmp/krb5cc_%{uid}. This can be addressed by making the paths equivalent:

# rmdir /var/krb5/security/creds
# ln -s /tmp /var/krb5/security/creds

Configure Active Directory login on Linux

Almost all Linux systems coming with OpenSSH package work with Active Directory login. After installing Quest Authentication Services, make sure that sshd use pam_vas for authentication:

# /opt/quest/bin/vastool configure pam sshd

Next, make sure the sshd has correct configuration to work with Active Directory. Configuration is slightly different for different Linux flavors.

For Linux systems

- RedHat Linux 7.3. 8 and 9

- RedHat Enterprise Linux 2.1 and 3

- CentOS 2 and 3

- Fedora 1 and 2

followings should be set in /etc/ssh/sshd_config.

PAMAuthenticationViaKbdInt yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

For other Linux systems, following should be set in /etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Restart the SSH server. On most Linux systems, this is achieved with this command:

# /etc/init.d/sshd restart

Configure Active Directory Single Sign-on on Linux

Most Linux systems come with OpenSSH package that support GSSAPI authentication. The configurations on these Linux systems are similar:

In this example we assume the realm COMPANY.COM, with an Active Directory controller at ad.company.com.

Ensure PAM rules for sshd use pam_vas

Make sure that sshd will use pam_vas for authentication:

# /opt/quest/bin/vastool configure pam sshd

Configure the sshd server to use GSSAPI

Edit /etc/ssh/sshd_config to make sure it contains following lines:

UsePAM yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the SSH server. On most Linux systems, this is achieved with this command:

# /etc/init.d/sshd restart

Configure the ssh client to use GSSAPI

Edit /etc/ssh/ssh_config and add following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Configure Kerberos

You can either directly symlink /etc/krb5.conf to /etc/opt/quest/vas/vas.conf, or create a separate /etc/krb5.conf. Before doing that, save the original one.

# mv /etc/krb5.conf /etc/krb5.conf.orig

Then, eiher create the symlink:

# ln -s /etc/opt/quest/vas/vas.conf /etc/krb5.conf

or manually create your own by following these steps:

  1. Create an empty file /etc/krb5.conf and add these lines:
    [libdefaults]
        default_realm = COMPANY.COM
        default_keytab_name = /etc/opt/quest/vas/host.keytab
        forwardable = true
  2. Run this command as root:
    # /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf

Configure Active Directory login on HP-UX

After installing Quest Authentication Services and HP-UX Secure Shell packages, verify followings should be set in /opt/ssh/etc/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Restart SSH server.

Configure Active Directory Single Sign-on on HP-UX

Install HP Secure Shell

HP-UX Secure Shell packages  can be found at  HP Software Download Site.

We tested Secure Shell A.04.50.010 and A.04.40.011 for Single Sign-on with Quest Authentication Services.

Configure Kerberos

The file /etc/krb5.conf should contain following definitions, depending on your realm (COMPANY.COM, here):

[libdefaults]
    default_realm = COMPANY.COM
    default_keytab_name = /etc/opt/quest/vas/host.keytab

[realms]
    COMPANY.COM = {
        kdc = ad.company.com:88
    }

[appdefaults]
   kinit = {
       renewable = true
       forwardable= true
   }

Configure the SSH server

If your HP-UX host is to be used as an SSH server, you must edit /opt/ssh/etc/sshd_config to contain the following directives:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the SSH server.

Configure the SSH client

If your HP-UX host is to be an SSH client, edit the file /opt/ssh/etc/ssh_config to contain:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Verification

Verify that the SSH server and/or client are functioning by first obtaining a login ticket:

user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/COMPANY.COM@COMPANY.COM

Then, connect to the server

user@client$ ssh server
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.

Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304 U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
user@server$ 

Configure Active Directory login on Mac OS

Mac OS 10.4 has OpenSSH 4.5p1 installed. After installing Quest Authentication Services, verify that followings should be set in /etc/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Restart SSH server.

Configure Active Directory Single Sign-on on Mac OS

Mac OS 10.4 has OpenSSH 4.5p1 installed.

Configure Kerberos

The file /etc/krb5.conf should contain following definitions, depending on your realm (COMPANY.COM, here):

[libdefaults]
    default_realm = COMPANY.COM
    default_keytab_name = /etc/opt/quest/vas/host.keytab

[realms]
    COMPANY.COM = {
        kdc = ad.company.com:88
    }

[appdefaults]
   kinit = {
       renewable = true
       forwardable= true
   }

Configure the SSH server

If your Mac OS host is to be used as an SSH server, you must edit /etc/sshd_config to contain the following directives:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the SSH server.

Configure the SSH client

If your Mac OS host is to be an SSH client, edit the file /etc/ssh_config to contain:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Verification

Verify that the SSH server and/or client are functioning by first obtaining a login ticket:

user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
10/19/07 12:40:06 10/19/07 22:40:06  krbtgt/COMPANY.COM@COMPANY.COM

Then, connect to the server

user@client$ ssh server
Last login: Fri Oct 19 12:43:03 2007 from macaw.rcdev.vin
Welcome to Darwin!
user@server$ 
&emdash; Wei Hu, David Leonard