How to configure Single-Sign-On using OpenSSH on Solaris (4285233)

Configure SSH for Active Directory and Authentication Services
In order to achieve SSO OpenSSH first needs to be configured to logon to Active Directory.
If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command;
# /opt/quest/bin/vastool status

This should not return any errors concerning SSH or PAM.


PAM configuration
PAM configuration will normally happen automatically when Authentication Services joins the host to Active Directory.
Check that the file /etc/pam.conf contains a line similar to this:

other    account     sufficient     /opt/quest/lib/security/$ISA/pam_vas3.so

If not, then run the following command as root:
# /opt/quest/bin/vastool configure pam sshd sshd-gssapi


Check that the SSH packages are installed
The following packages, provided by Sun on the Solaris installation media, should be installed:

# pkginfo | grep SUNWssh

system      SUNWsshcu                        SSH Common, (Usr)
system      SUNWsshdr                        SSH Server, (Root)
system      SUNWsshdu                        SSH Server, (Usr)
system      SUNWsshr                         SSH Client and utilities, (Root)
system      SUNWsshu                         SSH Client and utilities, (Usr)


# pkginfo | grep SUNkrb

system      SUNWkrbr                         Kerberos version 5 support (Root)
system      SUNWkrbu                         Kerberos version 5 support (Usr)



Configure the SSH server
For Solaris the following settings should be configured in /etc/ssh/sshd_config

For Solaris 9 & 10 the following should be set:
PAMAuthenticationViaKbdInt yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

No changes are required to /etc/ssh/sshd_config on Solaris 10 as GSSAPI authentication is already configured.


For Solaris 7 & 8 the following should be set:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes


Then restart the SSH server.


Configure the SSH client
The ssh client should be configured to use GSSAPI as well.
Edit /opt/ssh/etc/ssh_config and add the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


On Solaris 10 you do not need to make any changes to the SSH client.


Configure Kerberos
You can either directly symlink /etc/krb5/krb5.conf to /etc/opt/quest/vas/vas.conf, or create a separate /etc/krb5.conf. Before doing that, save the original one.
# mv /etc/krb5/krb5.conf /etc/krb5/krb5.conf.orig

Then, either create the symlink:
# ln -s /etc/opt/quest/vas/vas.conf /etc/krb5/krb5.conf

or manually create your own by following these steps:

In this example we assume the realm COMPANY.COM, with an Active Directory controller at ad.company.com.
Create an empty file /etc/krb5/krb5.conf and add these lines:

[libdefaults]
default_realm = COMPANY.COM
default_keytab_name = /etc/opt/quest/vas/host.keytab
forwardable = true

Then run this command as root:
# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5.conf


Verification
On the SSH server, check that the SSH service is enabled and running:
# svcs ssh

If it is not running, start it with the following command:
# svcadm enable ssh


Verify that the SSH server and/or client are functioning by first obtaining a login ticket:
user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/07 18:11:22  09/11/07 04:11:22  krbtgt/COMPANY.COM@COMPANY.COM

Then connect to the server
user@client$ ssh server

Single Sign On from one enabled machine should work to another enabled machine.