HP OpenVMS Systems Documentation

Content starts here

Setting Up Kerberos

  Table of Contents



To use Kerberos-based SSH, you must:

  • Configure the Kerberos user and host principals. You must also create the associated Kerberos keytab entries, as described in the HP Open Source Security for OpenVMS Volume 3: Kerberos manual.

  • Configure the SSH server and client to use the appropriate Kerberos authentication methods.

Configuring the Kerberos User and Host Principles

On each SSH server host to which a user may want to connect using Kerberos-based authentication method or Kerberos password check, define a Kerberos host principal, as described in the OpenVMS Guide to Security (Kerberos). The host principle for the SSH server host must be fully qualified. For example, a host principal for the SSH server host with DNS name myhost.abcd.org in the Kerberos realm ABCD.ORG would be specified as host/myhost.abcd.org@ABCD.ORG

To use the gssapi-with-mic authentication method, the server's local host database for itself must be configured so that the first entry in the list is the fully-qualified domain name. Use the TCP/IP management command SHOW HOST/LOCAL on the SSH server to make sure the server is defined by its fully-qualified canonical name. For example, to set up gssapi-with-mic authentication on the SSH server host named myhost.abcd.org, the local host entry must be defined as displayed by the following command:

     LOCAL database
Host address    Host name   myhost.abcd.org, myhost, MYHOST,MYHOST.ABCD.ORG

Configuring the Kerberos Authentication Method

In addition, the SSH servers must be configured to accept requests for each authentication method that clients will use. The following Kerberos authentication methods can be enabled:

  • gssapi-with-mic

  • kerberos-2 (kerberos-2@ssh.com)

  • kerberos-tgt-2 (kerberos-tgt-2@ssh.com)

To enable the SSH server to provide an authentication method to SSH clients, add the Kerberos authentication method name to the AllowedAuthentications configuration keyword in the server configuration file. For more information about SSH authentication methods, see Chapter 3.

For example, if you want your SSH server to offer gssapi-with-mic and publickey authentication, include the following in the server configuration file:

AllowedAuthentications: gssapi-with-mic, publickey

The Kerberos authentication methods are not part of the default configuration. You must explicitly include them in the configuration file to use Kerberos authentication. For more information about modifying the server and client configuration files, see Appendix B.

SSH Kerberos Authentication Interoperability

The kerberos-2@ssh.com and kerberos-tgt-2@ssh.com authentication methods are proprietary (not specified by an IETF draft or RFC), and as such are supported only by the SSH implementations based on software from SSH Communications, Inc. HP Tru64 UNIX also supports these authentication methods.

The gssapi-with-mic authentication method is based on an IETF draft (GSSAPI Authentication and Key Exchange for the Secure Shell Protocol). As a public-domain specification, it is supported by a broader range of SSH implementations, including those based on OpenSSH.

TCP/IP Services does not implement the key exchange part of the GSSAPI protocol. It implements only the user authentication portion of this specification.

SSH Client Configuration

To enable a Kerberos authentication method on the SSH client, add the appropriate argument to the AllowedAuthentications keyword in the SSH client configuration file. Kerberos-based authentication methods are not enabled for AllowedAuthentications by default. You must enable them in your SSH client configuration file. For example, to tell your SSH client to use the gssapi-with-mic method first, then publickey, and then password authentication, enter the following:

AllowedAuthentications: gssapi-with-mic, publickey, password