-
Title
How to configure Single-Sign-On using OpenSSH on Linux. -
Description
How to Configure SSH to allow access using GSSAPI and achieve single-sign-on using vendor supplied OpenSSH or OpenSSH downloaded from the internet. -
Resolution
Configure SSH for Active Directory and Authentication Services
In order to achieve SSO OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command;
/opt/quest/bin/vastool statusThis should not return any errors concerning SSH or PAM.
For most linux operating systems the following settings should be configured for ssh in /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Some linux systems may require "PAMAuthenticationViaKbdInt yes" instead of "UsePAM yes"Once sshd_config is set the service should be restarted.
Configure SSH for Single Sign On for GSSAPI
To achieve Single-Sign-On the OpenSSH package needs to support GSSAPI authentication. The configurations on these linux systems are similar.
RedHat Linux and derivatives; e.g. CentOS, Fedora
Suse Linux
Debian Linux and derivatives; e.g. UbuntuIn this example we assume the realm COMPANY.COM, with an Active Directory controller at ad.company.com
The ssh client should be configured to use GSSAPI as well.
Edit /etc/ssh/ssh_config and add the following lines:GSSAPIAuthentication yes
GSSAPIDelegateCredentials yesConfigure Kerberos
You can either directly symlink /etc/krb5.conf to /etc/opt/quest/vas/vas.conf, or create a separate /etc/krb5.conf. Before doing that, save the original one.
# mv /etc/krb5.conf /etc/krb5.conf.origThen, either create the symlink:
# ln -s /etc/opt/quest/vas/vas.conf /etc/krb5.confor manually create your own by following these steps:
Create an empty file /etc/krb5.conf and add these lines:
libdefaults]
default_realm = COMPANY.COM
default_keytab_name = /etc/opt/quest/vas/host.keytab
forwardable = trueThen run this command as root:
# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.confSingle Sign On from one enabled machine should work to another enabled machine.