Configure single sign-on authentication on AIX

Single sign-on (SSO) is a mechanism that allows a user to access resources across multiple systems by just authenticating to the server once. This method is quite helpful in scenarios where the user database is centralized (like LDAP). Users can authenticate on one system and then access multiple systems.

Share:

Uma Chandolu (uchandol@in.ibm.com), AIX Development Support Security, IBM

Photo of Uma ChandoluUma M. Chandolu works as a Development Support Specialist on AIX. He is currently the team lead of the AIX Security Development Support team at IBM Bangalore.He has three years of extensive hands-on experience in AIX environments, and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. He has been recognized as an IBM developerWorks Contributing Author. You can reach him at uchandol@in.ibm.com.


developerWorks Contributing author
        level

Faraz Ahmad (farahmad@in.ibm.com), Software Engineer, IBM  

Faraz Ahmad works as a software engineer for IBM on the AIX Development Support Security team in Bangalore, India. He has two years of extensive hands-on experience in AIX environments, and is one of the focal points in the AIX support security area. He has demonstrated expertise in AIX security component, system administration, client interaction and handling customer's critical situations. You can reach him at farahmad@in.ibm.com.



22 September 2009

Also available in Chinese

Overview

Why would single sign-on (SSO) be an advantage to your system? The main advantage is that if the user's credentials are stored centrally, he can just authenticate once to the server and start using the resources across all the systems. The users do not have to authenticate to each individual client in order to access the resources.

SSO can also improve the productivity of network users, reduce the cost of network operations, and improve network security.

Figure 1. SSO authentication on AIX®
SSO authentication on AIX

Figure 1 show how SSO authentication works when AIX is configured to a centralized authentication server like the Microsoft® Windows® Active Directory server.

When the user logs on as AIX client1 using SSH/telnet, the user is prompted to enter the password. The user password is sent to the centralized server to prove the user's identifications. Once the user's identification is verified, it issues the service ticket to the user. The user can use the same service ticket for accessing other AIX client systems without having to re-enter the password.

See the Resources section for information on configuring Kerberized open SSH on AIX.


Advantages of the SSO authentication mechanism

SSO provides many benefits such as:

  • Single sign-on uses the centralized server for authentication, so the same credentials can be used for accessing any of the client systems.
  • SSO reduces the time spent on re-entering the usernames and password for the same user.
  • SSO reduces the network traffic to the centralized server.
  • SSO uses the same authentication method for all users and all applications to prove their identity.
  • SSO reduces operational cost and time to access data.
  • Users do not have to remember too many passwords.

Scope

This article covers how to configure an AIX Kerberos client with Microsoft Windows Active Directory server as the Kerberos Key Distribution Center (KDC), and how to implement the single sign-on authentication mechanism between various AIX Kerberos clients.


Configuring a Microsoft Active Directory server

Refer to the Resources section for documentation to configure Microsoft Active Directory server on Windows 2003.

Also make sure that the KDC is up and running. This can be verified from the services window. (Programs -> Administrative tools -> Services). If the Kerberos KDC is not running, then right click and choose the Start option to start the KDC server.


Configuring an AIX Kerberos client with Microsoft Active Directory server

Install the Kerberos filesets on an AIX client system using the smit or installp command. These filesets are available on AIX expansion CDs or they can be downloaded (See the Resources section for download information).

#lslpp –l | grep krb5
krb5.client.rte                     1.4.0.7  COMMITTED  Network Authentication Service
krb5.client.samples            1.4.0.7  COMMITTED  Network Authentication Service
krb5.msg.en_US.client.rte  1.4.0.7  COMMITTED  Network Auth Service Client

Make sure that the Microsoft Active Directory server is accessible from the AIX clients. Then follow these steps to configure AIX Kerberos client against the Microsoft Active directory server.

  1. If the Kerberos client is configured previously on an AIX client, run the following command. If it is not, skip this step.
     #/usr/sbin/unconfig.krb5
     Warning: All configuration information will be removed.
     Do you wish to continue? [y/n]
      y
     Removing configuration...
     The command completed successfully
  2. Configure the AIX Kerberos client using the config.krb5 command. Here Microsoft Active Directory 2003 is chosen as the Kerberos server. The following options need to be used with the config.krb5 command.
    • -r realm = Windows 2003 Active Directory server domain name
    • -d domain = Domain name of the machine hosting the Windows 2003 Active Directory server
    • -c KDC = Host name of the Windows 2003 server
    • -s server = Host name of the Windows 2003 server
    #config.krb5 -C -r ZTRANS.IBM.COM -d in.ibm.com -c windows2k3.in.ibm.com 
         -s windows2k3.in.ibm.com 
    Initializing configuration...
    Creating /etc/krb5/krb5_cfg_type... 
    Creating /etc/krb5/krb5.conf... 
    The command completed successfully.
  3. Microsoft Windows Active Directory server does not support all of the encryption mechanisms. Make the following changes to /etc/krb5/krb5.conf file to support the ticket encryption algorithm.

    Edit the file to look as follows:

         ….
            default_tkt_enctypes = des-cbc-crc des-cbc-md5 
            default_tgs_enctypes = des-cbc-crc  des-cbc-md5
  4. Add the following entry to the "/usr/lib/security/methods.cfg" file:
           KRB5A: 
                            program = /usr/lib/security/KRB5A 
                            options = authonly
          KRB5Afiles: 
          options = db=BUILTIN,auth=KRB5A
  5. On the Microsoft Windows 2003 Active Directory, create a user name for the AIX client with AIX hostname.

    For example, in this case the AIX client's hostname is indus52.in.ibm.com. So create a user on the Windows Active Directory as indus52. While creating the user, it prompts for the user's password. Provide a valid password for the user.

  6. On the Microsoft Active Directory Server, run the ktpass command to generate the keytab file for the AIX client.

    By default, the ktpass command will not be installed on the Windows 2003 server. This command can be installed from the Windows 2003 CD under the "support tools" directory.

    ktpass –princ host/indus52.in.ibm.com@ZTRANS.IBM.COM  -mapuser indus52 
         -pass admin –kvno 3 -out indus52.keytab

    Note that in the case of Windows 2003, ktpass by default generates KVNO (key version number) to 1. When the AIX client tries to connect to the AD, AD 2003 always returns three, which doesn't match the KVNO requirement in the keytab file. Generate the keytab file with KVNO 3 by providing the -kvno 3 option.

    Copy this keytab (indus52.keytab) file to the AIX Kerberos client (indus52.in.ibm.com) in binary mode.

  7. Merge the copied file into the /etc/krb5/krb5.keytab file using the ktutil command.
    $ ktutil
      ktutil: rkt indus52.keytab
      ktutil: wkt /etc/krb5/krb5.keytab
      ktutil: q

    Use the list command on ktutil to see the values of the keytab:

    Ktutil: list
    Slot     KVNO     Principal
    ------   -----------    -----------------------------------------------
    1          3                  host/indus52.in.ibm.com@ZTRANS.IBM.COM
  8. Create a user on the AIX client that corresponds to the Windows 2003 user account.

    Make sure that user attributes are configured properly on the AIX Kerberos client for the user to authenticate against the AIX client.

  9. Use kinit to check if the user is being authenticated against the Kerberos server.
     # ./usr/krb5/bin/kinit test                                      
    Password for test@ZTRANS.IBM.COM:                                                  
    #
  10. Verify that the newly created user is able to log in to AIX client using ssh/telnet.

Implementing SSO authentication on AIX

Make sure that the AIX Kerberos client is successfully configured to the Windows Active Directory server and verify that the users are able to log in successfully using the ssh/telnet protocol.

Follow these steps for implementing SSO on AIX. These steps are the same when AIX is configured as the client for the AIX Kerberos LDAP server.

  1. Enable the authentication method on AIX systems using the chauthent command. The chauthent command sets the desired authentication method based on the flags the user sets. By default, the AIX system is configured with the standard AIX authentication mechanism. Configure the Kerberos authentication mechanism on the system using the chauthent command as follows:
    #chauthent –k5 –std

    The lsauthent command lists the authentication method that was configured on the system:

    #lsauthent
    Kerberos 5
    Standard AIX
  2. Log in with a test user using telnet/SSH and generate a forwardable ticket for a Kerberos user using the /usr/krb5/bin/kinit command:
    #/usr/krb5/bin/kinit –f test
    Password for test@ZTRANS.IBM.COM:
    #

    The kinit command generates a forwardable ticket for the test user. The attributes of the ticket can be listed using the klist command with the -f option:

    #/usr/krb5/bin/klist -f
    Ticket cache: /tmp/krb5cc_320
    Default principal: test@ZTRANS.IBM.COM
    Valid starting      Expires             Service principal
    31/03/08 19:06:25  31/03/00 19:16:25  krbtgt/ZTRANS.IBM.COM@ZTRANS.IBM.COM
            Flags: FRIA

    The flag's attributes are:

    • F – Forwardable
    • R – Renewable
    • I - Initial
    • A – PreAuthenticated

    Users can use this forwardable ticket to do a telnet/SSH log n to different AIX clients without providing the password.

    The telnet command can be used as follows on the system:

    # telnet –F –l test indus61.in.ibm.com

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=430339
ArticleTitle=Configure single sign-on authentication on AIX
publish-date=09222009