Configure single sign-on authentication on AIX
Why would single sign-on (SSO) be an advantage to your system? The main advantage is that if the user's credentials are stored centrally, he can just authenticate once to the server and start using the resources across all the systems. The users do not have to authenticate to each individual client in order to access the resources.
SSO can also improve the productivity of network users, reduce the cost of network operations, and improve network security.
Figure 1. SSO authentication on AIX®
Figure 1 show how SSO authentication works when AIX is configured to a centralized authentication server like the Microsoft® Windows® Active Directory server.
When the user logs on as AIX client1 using SSH/telnet, the user is prompted to enter the password. The user password is sent to the centralized server to prove the user's identifications. Once the user's identification is verified, it issues the service ticket to the user. The user can use the same service ticket for accessing other AIX client systems without having to re-enter the password.
See the Related topics section for information on configuring Kerberized open SSH on AIX.
Advantages of the SSO authentication mechanism
SSO provides many benefits such as:
- Single sign-on uses the centralized server for authentication, so the same credentials can be used for accessing any of the client systems.
- SSO reduces the time spent on re-entering the usernames and password for the same user.
- SSO reduces the network traffic to the centralized server.
- SSO uses the same authentication method for all users and all applications to prove their identity.
- SSO reduces operational cost and time to access data.
- Users do not have to remember too many passwords.
This article covers how to configure an AIX Kerberos client with Microsoft Windows Active Directory server as the Kerberos Key Distribution Center (KDC), and how to implement the single sign-on authentication mechanism between various AIX Kerberos clients.
Configuring a Microsoft Active Directory server
Refer to the Related topics section for documentation to configure Microsoft Active Directory server on Windows 2003.
Also make sure that the KDC is up and running. This can be verified from the services window. (Programs -> Administrative tools -> Services). If the Kerberos KDC is not running, then right click and choose the Start option to start the KDC server.
Configuring an AIX Kerberos client with Microsoft Active Directory server
Install the Kerberos filesets on an AIX client system using the smit or installp command. These filesets are available on AIX expansion CDs or they can be downloaded (See the Related topics section for download information).
#lslpp –l | grep krb5 krb5.client.rte 220.127.116.11 COMMITTED Network Authentication Service krb5.client.samples 18.104.22.168 COMMITTED Network Authentication Service krb5.msg.en_US.client.rte 22.214.171.124 COMMITTED Network Auth Service Client
Make sure that the Microsoft Active Directory server is accessible from the AIX clients. Then follow these steps to configure AIX Kerberos client against the Microsoft Active directory server.
If the Kerberos client is configured previously on an AIX client, run the following
command. If it is not, skip this step.
#/usr/sbin/unconfig.krb5 Warning: All configuration information will be removed. Do you wish to continue? [y/n] y Removing configuration... The command completed successfully
Configure the AIX Kerberos client using the config.krb5 command. Here Microsoft Active
Directory 2003 is chosen as the Kerberos server. The following options need to be used with the config.krb5 command.
- -r realm = Windows 2003 Active Directory server domain name
- -d domain = Domain name of the machine hosting the Windows 2003 Active Directory server
- -c KDC = Host name of the Windows 2003 server
- -s server = Host name of the Windows 2003 server
#config.krb5 -C -r ZTRANS.IBM.COM -d in.ibm.com -c windows2k3.in.ibm.com -s windows2k3.in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully.
Microsoft Windows Active Directory server does not support all of the encryption mechanisms.
Make the following changes to /etc/krb5/krb5.conf file to support the ticket encryption algorithm.
Edit the file to look as follows:
…. default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5
Add the following entry to the "/usr/lib/security/methods.cfg" file:
KRB5A: program = /usr/lib/security/KRB5A options = authonly KRB5Afiles: options = db=BUILTIN,auth=KRB5A
On the Microsoft Windows 2003 Active Directory, create a user name for the AIX client with AIX hostname.
For example, in this case the AIX client's hostname is indus52.in.ibm.com. So create a user on the Windows Active Directory as indus52. While creating the user, it prompts for the user's password. Provide a valid password for the user.
On the Microsoft Active Directory Server, run the ktpass command to generate the
keytab file for the AIX client.
By default, the ktpass command will not be installed on the Windows 2003 server. This command can be installed from the Windows 2003 CD under the "support tools" directory.
ktpass –princ host/indus52.in.ibm.com@ZTRANS.IBM.COM -mapuser indus52 -pass admin –kvno 3 -out indus52.keytab
Note that in the case of Windows 2003, ktpass by default generates KVNO (key version number) to 1. When the AIX client tries to connect to the AD, AD 2003 always returns three, which doesn't match the KVNO requirement in the keytab file. Generate the keytab file with KVNO 3 by providing the -kvno 3 option.
Copy this keytab (indus52.keytab) file to the AIX Kerberos client (indus52.in.ibm.com) in binary mode.
Merge the copied file into the /etc/krb5/krb5.keytab file using the ktutil command.
$ ktutil ktutil: rkt indus52.keytab ktutil: wkt /etc/krb5/krb5.keytab ktutil: q
Use the list command on ktutil to see the values of the keytab:
Ktutil: list Slot KVNO Principal ------ ----------- ----------------------------------------------- 1 3 host/indus52.in.ibm.com@ZTRANS.IBM.COM
- Create a user on the AIX client that corresponds to the Windows 2003 user account.
Make sure that user attributes are configured properly on the AIX Kerberos client for the user to authenticate against the AIX client.
- Use kinit to check if the user is being authenticated against the Kerberos server.
# ./usr/krb5/bin/kinit test Password for test@ZTRANS.IBM.COM: #
- Verify that the newly created user is able to log in to AIX client using ssh/telnet.
Implementing SSO authentication on AIX
Make sure that the AIX Kerberos client is successfully configured to the Windows Active Directory server and verify that the users are able to log in successfully using the ssh/telnet protocol.
Follow these steps for implementing SSO on AIX. These steps are the same when AIX is configured as the client for the AIX Kerberos LDAP server.
- Enable the authentication method on AIX systems using the chauthent command.
The chauthent command sets the desired authentication method based on the
flags the user sets. By default, the AIX system is configured with the standard AIX
authentication mechanism. Configure the Kerberos authentication mechanism on
the system using the chauthent command as follows:
#chauthent –k5 –std
The lsauthent command lists the authentication method that was configured on the system:
#lsauthent Kerberos 5 Standard AIX
- Log in with a test user using telnet/SSH and generate a forwardable ticket for
a Kerberos user using the /usr/krb5/bin/kinit command:
#/usr/krb5/bin/kinit –f test Password for test@ZTRANS.IBM.COM: #
The kinit command generates a forwardable ticket for the test user. The attributes of the ticket can be listed using the klist command with the -f option:
#/usr/krb5/bin/klist -f Ticket cache: /tmp/krb5cc_320 Default principal: test@ZTRANS.IBM.COM Valid starting Expires Service principal 31/03/08 19:06:25 31/03/00 19:16:25 krbtgt/ZTRANS.IBM.COM@ZTRANS.IBM.COM Flags: FRIA
The flag's attributes are:
- F – Forwardable
- R – Renewable
- I - Initial
- A – PreAuthenticated
Users can use this forwardable ticket to do a telnet/SSH log n to different AIX clients without providing the password.
The telnet command can be used as follows on the system:
# telnet –F –l test indus61.in.ibm.com
- Kerberos LDAP master-slave configuration management provides an overview of configure Kerberos LDAP master-slave mechanism.
- Integrating AIX into Heterogeneous LDAP Environments This IBM Redbook is a technical planning reference for IT organizations that are adding AIX 5L clients to an existing LDAP authentication and user management environment.
- LDAP configuration management and troubleshooting on AIX (developerWorks, May 2007) provides an overview of the LDAP configuration and management.
- See the Resources section for information on configuring the kerberized Open ssh on AIX. http://www.ibm.com/developerworks/aix/library/au-secureopenssh/index.html
- Please refer the following documentation to configure Microsoft Active Directory server on Windows 2003http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/admng.mspx