How to configure Single-Sign-On using OpenSSH on HP-UX (136094)

How to configure Single-Sign-On using OpenSSH on HP-UX

How to configure SSH to allow access using GSSAPI and achieve single-sign-on using vendor supplied OpenSSH or OpenSSH downloaded from the internet.

Configure SSH for Active Directory and Authentication Services
In order to achieve SSO OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command;
# /opt/quest/bin/vastool status

This should not return any errors concerning SSH or PAM.


Install HP Secure Shell
HP-UX secure shell packages can be found at the HP Software Download site

To achieve Single-Sign-On the OpenSSH package needs to support GSSAPI authentication.


Configure the SSH server
For HP-UX the following settings should be configured for ssh in /opt/ssh/etc/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Then restart the SSH server.


Configure the SSH client
The ssh client should be configured to use GSSAPI as well.

Edit /opt/ssh/etc/ssh_config and add the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Configure Kerberos
You can either directly symlink /etc/krb5.conf to /etc/opt/quest/vas/vas.conf, or create a separate /etc/krb5.conf. Before doing that, save the original one.
# mv /etc/krb5.conf /etc/krb5.conf.orig

Then, either create the symlink:
# ln -s /etc/opt/quest/vas/vas.conf /etc/krb5.conf

or manually create your own by following these steps:

In this example we assume the realm COMPANY.COM, with an Active Directory controller at ad.company.com.
Create an empty file /etc/krb5.conf and add these lines:

[libdefaults]
default_realm = COMPANY.COM
default_keytab_name = /etc/opt/quest/vas/host.keytab
forwardable = true

Then run this command as root:
# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf


Verification
Verify that the SSH server and/or client are functioning by first obtaining a login ticket:
user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/COMPANY.COM@COMPANY.COM

Then connect to the server
user@client$ ssh server


Single Sign On from one enabled machine should work to another enabled machine.