|
HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration
Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos
Using Kerberos with TCP/IP SSH for OpenVMS, you can authenticate
your SSH connections between OpenVMS systems. The minimum version of TCP/IP Services for OpenVMS necessary
for Kerberized SSH is Version 5.6. To "Kerberize" your SSH connections, perform the
following steps. Install
and configure TCP/IP for OpenVMS Services Version 5.6 or higher. Install and configure Kerberos
for OpenVMS. If you have already installed OpenVMS Version 7.3-2
or higher, Kerberos is part of the OpenVMS installation procedure.
If you have an earlier version of OpenVMS installed, you can download
the Kerberos for OpenVMS PCSI kit from the Kerberos web site at
http://h71000.www7.hp.com/openvms/products/kerberos/ Shut down Kerberos, if it
is running, by entering the following command: $ @SYS$STARTUP:KRB$SHUTDOWN Configure TCP/IP Services
for OpenVMS by entering the following command: $ @SYS$STARTUP:TCPIP$CONFIG Select #2, Client components,
from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 2
|
Ensure that the SSH Client
and Server services are enabled. Select #7, SSH Client, from the
TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Client Components Configuration Menu Configuration options: 1 - DHCP Client Disabled Stopped 2 - FTP Client Enabled Started 3 - NFS Client Disabled Stopped 4 - REXEC and RSH Enabled Started 5 - RLOGIN Enabled Started 6 - SMTP Disabled Stopped 7 - SSH Client Disabled Stopped 8 - TELNET Enabled Started 9 - TELNETSYM Disabled Stopped A - Configure options 1 - 9 [E] - Exit menu Enter configuration option: 7
|
Select #2, Enable service
on this node, from the TCP/IP Configuration Menu. Type YES when
it asks if you want to configure the SSH SERVER. If SSH is already
enabled, skip to step 9. SSH CLIENT configuration options: 1 - Enable service on all nodes 2 - Enable service on this node 3 - Stop service on this node [E] - Exit SSH_CLIENT configuration Enter configuration option: 2 The SSH SERVER is enabled. * Do you want to configure SSH SERVER [NO]: YES
|
Select #2, Enable Service
on this node, from the TCP/IP Configuration Menu. Press return
to select the default or type YES to create a new default server
host key. SSH configuration options: 1 - Enable service on all nodes 2 - Enable service on this node 3 - Stop service on this node [E] - Exit SSH configuration Enter configuration option: 2 * Create a new default server host key? [YES]: YES Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB
|
Select Exit twice to exit
from each submenu of the TCP/IP Configuration Menu. If the system asks if you
want to start SSH now, answer NO. The following services are enabled but not started: SSH, SSH_CLIENT * Start these services now? [N] NO You may start services individually with: @SYS$STARTUP:TCPIP$<service>_STARTUP.COM
|
If SSH is not already running,
manually start the SSH client and server by entering the following commands: $ @SYS$STARTUP:TCPIP$SSH_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSHD2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP-SERVER2.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-I-INFO, service enabled %TCPIP-S-STARTDONE, TCPIP$SSH startup completed $ @SYS$STARTUP:TCPIP$ssh_client_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SCP2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-SIGNER2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH2.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-S-STARTDONE, TCPIP$SSH_CLIENT startup completed
|
Start Kerberos by entering
the following command: $ @SYS$STARTUP:KRB$STARTUP
|
Verify that the SSH service
is enabled by entering the following command: $ TPCIP SHOW SERV Service Port Proto Process Address State FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled RLOGIN 513 TCP not defined 0.0.0.0 Enabled RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled TELNET 23 TCP not defined 0.0.0.0 Enabled
|
Modify the following SSH
configuration files to enable the Kerberos authentication methods: SYS$SYSDEVICE:[000000.TCPIP$SSH.SSH2] SSH2_CONFIG. (SSH client) SSHD2_CONFIG. (SSH server)
|
In each file, under the 'Authentication' section, you must
add the Kerberos authentication methods you would like to use.
Following is an example that uses all three methods, plus the regular
methods. Make sure you indent and space as the example in the file
shows: AllowedAuthentications gssapi-with-mic, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, publickey, password, hostbased
|
You should only have one AllowedAuthentications line uncommented.
If there are others that are uncommented, comment them out with
a # sign as shown below: # AllowedAuthentications publickey, keyboard-interactive, password
|
Add the following lines to
SYS$MANAGER:SYSTARTUP_VMS.COM to install the 32-bit Kerberos images
at boot time. They are needed for the Kerberos-based functionality
with SSH: $ INSTALL CREATE SYS$SHARE:KRB$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARED $ INSTALL CREATE SYS$SHARE:GSS$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARE
|
If you are using TCP/IP Version
5.6 and Kerberos Version 2.1 and want to use the gssapi-with-mic authentication
method with SSH, you must define the following system logical: $ DEFINE/SYSTEM TCPIP$SSH_KRBRTL_HACK 1
|
Set up the Kerberos symbols,
if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM
file. $ @SYS$MANAGER:KRB$SYMBOLS
|
The following steps should be performed by each
user who will use Kerberized SSH. Log
into the OpenVMS system. Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3 Username: user1 Password:
|
Perform a kinit with
the principal name that matches the OpenVMS username. To do so,
enter one of the following commands at the DCL prompt each time
you start a Kerberized application, such as TCP/IP Services for
OpenVMS SSH. You are then prompted for the password associated with
the principal. (The -f is required for
the kerberos-tgt-2 authentication method.) $ kinit -f “USER1” password for user1@NODE1.HP.COM $ kinit “USER1” password for user1@NODE1.HP.COM
|
Enter the SSH command specifying
the Kerberos authentication method to use and the hostname as follows: $ ssh -o”AllowedAuthentications gssapi-with-mic” node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $ ssh -o”AllowedAuthentications kerberos-2@ssh.com” node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $ ssh -o”AllowedAuthentications kerberos-tgt-2@ssh.com” node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $
|
See the HP TCP/IP
Services for OpenVMS Guide to SSH for more information
about configuring SSH and troubleshooting.
|
|