To use Kerberos-based SSH, you must:
Configure the Kerberos user and host principals. You must
also create the associated Kerberos keytab entries, as
described in the HP Open Source Security for OpenVMS
Volume 3: Kerberos manual.
Configure the SSH server and client to use the appropriate
Kerberos authentication methods.
Configuring the Kerberos User and Host Principles
On each SSH server host to which a user may want to connect using Kerberos-based
authentication method or Kerberos password check, define a Kerberos host principal,
as described in the OpenVMS Guide to Security (Kerberos).
The host principle for the SSH server host must be fully qualified. For example,
a host principal for the SSH server host with DNS name myhost.abcd.org in
the Kerberos realm ABCD.ORG would be specified as host/myhost.abcd.org@ABCD.ORG
To use the gssapi-with-mic authentication method,
the server's local host database for itself must be configured so that the
first entry in the list is the fully-qualified domain name. Use the TCP/IP
management command SHOW HOST/LOCAL on the SSH server to make sure the server
is defined by its fully-qualified canonical name. For example, to set up gssapi-with-mic authentication
on the SSH server host named myhost.abcd.org, the local
host entry must be defined as displayed by the following command:
MYHOST> TCPIP SHOW HOST/LOCAL MYHOST
Host address Host name
10.0.0.1 myhost.abcd.org, myhost, MYHOST,MYHOST.ABCD.ORG
Configuring the Kerberos Authentication Method
In addition, the SSH servers must be configured to accept requests for
each authentication method that clients will use. The following Kerberos authentication
methods can be enabled:
To enable the SSH server to provide an authentication method to SSH
clients, add the Kerberos authentication method name to the AllowedAuthentications configuration
keyword in the server configuration file. For more information about SSH authentication
methods, see Chapter 3.
For example, if you want your SSH server to offer gssapi-with-mic and publickey authentication,
include the following in the server configuration file:
AllowedAuthentications: gssapi-with-mic, publickey
The Kerberos authentication methods are not part of the default configuration.
You must explicitly include them in the configuration file to use Kerberos
authentication. For more information about modifying the server and client
configuration files, see Appendix B.
SSH Kerberos Authentication Interoperability
The email@example.com and firstname.lastname@example.org authentication
methods are proprietary (not specified by an IETF draft or RFC), and as such
are supported only by the SSH implementations based on software from SSH Communications,
Inc. HP Tru64 UNIX also supports these authentication methods.
The gssapi-with-mic authentication method is based
on an IETF draft (GSSAPI Authentication and Key Exchange for the Secure Shell
Protocol). As a public-domain specification, it is supported by a broader
range of SSH implementations, including those based on OpenSSH.
TCP/IP Services does not implement the key exchange part of the GSSAPI
protocol. It implements only the user authentication portion of this specification.
SSH Client Configuration
To enable a Kerberos authentication method on the SSH client, add the
appropriate argument to the AllowedAuthentications keyword
in the SSH client configuration file. Kerberos-based authentication methods
are not enabled for AllowedAuthentications by default.
You must enable them in your SSH client configuration file. For example, to
tell your SSH client to use the gssapi-with-mic method
first, then publickey, and then password authentication,
enter the following:
AllowedAuthentications: gssapi-with-mic, publickey, password