How to configure Single-Sign-On using OpenSSH on AIX (4265417)

How to configure Single-Sign-On using OpenSSH on AIX

How to configure SSH to allow access using GSSAPI and achieve single-sign-on using vendor supplied OpenSSH or OpenSSH downloaded from the internet.

Configure SSH for Active Directory and Authentication Services

In order to achieve SSO, OpenSSH first needs to be configured to logon to Active Directory. If Authentication Services is installed and configured you can make sure that PAM is properly configured by running the following command:

#/opt/quest/bin/vastool status

This should not return any errors concerning SSH or PAM.

The following settings should be configured for ssh in /etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

Once sshd_config is set the service should be restarted.

Configure SSH Single Sign-on for AIX, Active Directory and Authentication Services

Confirm that Kerberos, OpenSSH and OpenSSL are installed. If they are not they will need to be installed first.

AIX OpenSSH requires the OpenSSL package to be installed. Only versions of OpenSSH 3.7 or later supports Kerberos and GSSAPI.

Configure Kerberos

You can run the script /usr/krb5/sbin/config.krb5 to configure Kerberos on AIX:

# /usr/krb5/sbin/config.krb5 -C -r COMPANY.COM \
  -d company.com \
  -l ad.company.com

where ad.company.com is an Active Directory controller. Next, run this command to fill in domain controller information detected by Authentication Services:

# /opt/quest/bin/vastool -u host/ info toconf /etc/krb5/krb5.conf

Finally, edit the file /etc/krb5/krb5.conf so that the default_keytab_name parameter is set as follows:

[libdefaults]
  default_keytab_name = /etc/opt/quest/vas/host.keytab

Configure the SSH for SSO with GSSAPI

If your AIX host is to be used as an SSH server, you must edit /etc/ssh/sshd_config to contain the following directives:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the ssh server process

Configure the SSH client for SSO with GSSAPI

If your AIX host is to be an SSH client, edit the file /etc/ssh/ssh_config to contain:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Verification

Verify that the SSH server and/or client are functioning by first obtaining a login ticket:

user@client$ klist
Ticket cache: FILE:/tmp/krb5cc_12345
Default principal: user@COMPANY.COM

Valid starting                Expires                Service principal
09/10/15 18:11:22  09/11/15 04:11:22  krbtgt/COMPANY.COM@COMPANY.COM

Then, connect to the server:

user@client$ ssh server

NOTE: By default, AIX Kerberos looks for credential caches in /var/krb5/security/creds/krb5cc_%{uid}. However, OpenSSH stores cached tickets at /tmp/krb5cc_%{uid}. This can be addressed by making the paths

equivalent:

# rmdir /var/krb5/security/creds
# ln -s /tmp /var/krb5/security/creds