Open Secure Shell (OpenSSH) is a freely available, open source implementation of the widely used SSH tools, which are used worldwide for communicating securely across networks. It eliminates the possibilities of someone sniffing, taking over, or peeking into your private data by encrypting all communication between two machines. OpenSSH also provides many authentication mechanisms for additional security.
Kerberos is a popular authentication mechanism that provides a secure means of authentication for network users, and it is supported by OpenSSH. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. Kerberos also provides a system for authorization in the form of administering tokens or credentials. OpenSSH software (openssh-3.8.p1) for IBM AIX® Version 5.3 is shipped with AIX Version 5.3 Expansion Pack CDs. OpenSSH Version 3.8 and later supports Kerberos 5 authentication and authorization through the IBM version of Kerberos, known as IBM Network Authentication Service (IBM NAS) Version 1.4. IBM NAS Version 1.4 for AIX can also be installed from the AIX Version 5.3 Expansion Pack CDs.
Microsoft® Active Directory Service is a key component of the Windows® platform, providing the means for various network management and authentication tasks. Kerberos is an integral part of Windows Active Directory implementation, and it is widely used by enterprises as the Key Distribution Center (KDC) for their Kerberos realm. Microsoft Active Directory Service can be configured on Windows Server 2003 and Windows Server 2000.
This article leads you through the required steps to configure the Kerberized OpenSSH on AIX Version 5.3 machines that have Microsoft Active Directory Server to act as the KDC. This article will prove handy to administrators working in a hybrid environment with multi-vendor solutions comprised of AIX Version 5.3 systems, as well as Microsoft Active Directory Server.
To follow along with the scenario in this article, you will need to have the Microsoft Active Directory Domain supporting Kerberos service up and running, and you need to successfully configure an AIX IBM NAS Version 1.4 client to it.
OpenSSH and Kerberos (IBM NAS) on AIX Version 5.3
This section goes through the initial steps required to install and configure Kerberos and OpenSSH on AIX server and client machines. Both OpenSSH and Kerberos are shipped with AIX Version 5.3 Expansion Pack CDs. Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the AIX Toolbox for Linux Applications (see Resources).
Once you've downloaded OpenSSL to a local directory of your AIX Version 5.3 machine (/tmp in this particular case), install it by running the following command:
# geninstall -d/tmp R:openssl-0.9.6m
You can install OpenSSH using either of the following methods:
smitty->Software Installation and Maintenance->Install and Update Software->Install Software
# geninstall -I"Y" -d/dev/cd0 I:openssh.base
Install the IBM NAS Version 1.4 client and configure it to the Kerberos realm (Active Directory domain), hosted by Microsoft Active Directory Server, acting as the KDC. For details on IBM NAS client installation and its configuration to Microsoft Active Directory Server, read the AIX white paper "Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service" (see Resources).
After successful installation and configuration of the IBM NAS client, you need to configure OpenSSH to use Kerberos for authentication.
Edit the /etc/services file to have following entries:
kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw
Uncomment the following entries in /etc/ssh/sshd_config to enable the SSH daemon to use Kerberos as the authentication mechanism:
KerberosAuthentication yes KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes
Start the SSH server with the following command:
#startsrc -g ssh
Verify that the SSH server has been started properly using the following command:
#ps -ef|grep ssh
Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service
This section describes a scenario that leads you through the required steps to make the Kerberized SSH, configured on AIX Version 5.3 machines (having Microsoft Active Directory Server), act as the KDC.
It is assumed that you already have Microsoft Active Directory Domain supporting Kerberos service up and running, and that you've successfully configured the AIX IBM NAS Version 1.4 client to it. For detailed information on configuring the IBM NAS Version 1.4 client to Microsoft Active Directory Server, see the IBM NAS Version 1.4 Administration Guide (shipped with AIX Version 5.3 Expansion Pack CD) and the IBM white paper in the Resources section.
For information on installation and configuration of Microsoft Active Directory Server, see the appropriate Microsoft documentation on how to configure a Microsoft Active Directory Server.
The following definitions will be used in the following example:
Kerberos Realm Name / Domain Name MSKERBEROS.IN.IBM.COM KDC (Windows Active Directory Server) hostname: windce20.in.ibm.com, OS: Windows 2003 Server SSH Server (sshd) hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3 SSH Client hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3 IBM NAS 1.4 Client hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3 & hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3
Figure 1 shows the setup of the example.
Figure 1. Example setup
You need to implement the following steps to configure Kerberized SSH on the AIX machines with IBM NAS client for AIX configured to Microsoft Active Directory Server.
- On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account corresponding to the AIX machine running the SSH server. In this case, it is aixdce16.in.ibm.com.
- Open the dialog box to create a new user from the Users folder and complete the following entries:
- First Name = aixdce16.in.ibm.com
- Full Name = aixdce16.in.ibm.com
- User logon Name = aixdce16.in.ibm.com
- User logon Name (pre-Windows 2000) = aixdce16.in.ibm.com
- Provide the Password and choose appropriate check boxes in the password panel.
- Select Finish to complete the user creation.
- Open the dialog box to create a new user from the Users folder and complete the following entries:
- Use the
Ktpasscommand from the command line on the Windows Server 2003 machine (windce20.in.ibm.com) to create the krb5.keytab file, and set up the account for the AIX host (aixdce16.in.ibm.com), as follows:
Ktpass -princ host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM -mapuser aixdce16.in.ibm.com -pass !sandeep17! -out c:\krb5.keytab
- Copy the krb5.keytab file created in Step 2 above to the AIX host system (in this example, copy/ftp it to aixdce16.in.ibm.com) to the /tmp directory. Merge the /tmp/krb5.keytab file into the /etc/krb5/krb5.keytab file on the AIX system.
Make sure that the keytab file (/etc/krb5/krb5.keytab) contains the required Kerberos server principal entry with proper key version number. If it does, start the SSH server on the AIX machine (aixdce16.in.ibm.com), as shown below.
Listing 1. Setting up of keytab files on AIX
# hostname aixdce16 # ktutil ktutil: rkt /tmp/krb5.keytab ktutil: wkt /etc/krb5/krb5.keytab ktutil: q # kvno host/aixdce16.in.ibm.com kvno = 1 # klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------- 1 host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM # startsrc -g ssh 0513-059 The sshd Subsystem has been started. Subsystem PID is 22698.
Make sure that the key version number obtained by the
kvnocommand matches with the one shown by the
klist -kcommand for the host/<hostname> principal entry. If they do not match, you might be required to add a new entry for host/<hostname> principal in the keytab file matching the key version number.
- On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account with the name matching the user name of a user account present on the AIX machines. In this example, we created a user account with name "sandeep" that is also present on both the AIX machines. See Step 1 above for information on how to create a user account on the Windows Active Directory Server.
Testing the setup
Now you're ready to test the setup and use the Kerberized SSH.
- Log on to aixdce20.in.ibm.com (SSH client) with username sandeep.
- Get the valid Kerberos credentials for sandeep using the
sshto aixdce16.in.ibm.com running the SSH server.
Listing 2 below shows the sequence of commands executed on aixdce20.in.ibm.com, which resulted in a secure shell establishment to aixdce16.in.ibm.com using Kerberos as the authentication mechanisms with Microsoft Active Directory Server acting as the KDC.
Listing 2. Sample output showing successful ssh using Kerberos authentication
# hostname aixdce20 # whoami sandeep # kinit sandeep Password for sandeep@MSKERBEROS.IN.IBM.COM: # klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: sandeep@MSKERBEROS.IN.IBM.COM Valid starting Expires Service principal 03/27/06 17:40:28 03/28/06 03:40:34 krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM Renew until 03/28/06 17:40:28 # ssh aixdce16.in.ibm.com ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* $ hostname aixdce16 $ whoami sandeep $ pwd /home/sandeep $ exit Connection to aixdce16.in.ibm.com closed. # hostname aixdce20 # klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: sandeep@MSKERBEROS.IN.IBM.COM
You've got the valid credentials from KDC for principal name sandeep, so let's try to log in as principal root, as shown in Listing 3.
Listing 3. Sample output showing unsuccessful ssh for root
#ssh -v email@example.com OpenSSH_3.8.1p1, OpenSSL 0.9.6m 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to aixdce16.in.ibm.com [126.96.36.199] port 22. debug1: Connection established. .. .. .. debug1: Next authentication method: password firstname.lastname@example.org's password: Connection closed by 188.8.131.52
The debug message,
Connection established, indicates that even though the authentication as root was successful with the credentials for principal sandeep, authorization fails even if you specify the correct password. This is because Kerberos found that the principal sandeep@MSKERBEROS.IN.IBM.COM was not allowed to access as root. By creating a file in aixdce16.in.ibm.com:~root/.k5login and adding sandeep's principal in it, root can authorize using sandeep's principal.
Since the .k5login file overrides the default authorization rule, root also needs to place its own principal in there, or it will not be able to log in using the principal. Listing 4 below shows the contents of .k5login file in root's home directory on aixdce16.in.ibm.com.
Listing 4. Sample output showing the contents of .k5login in root's home directory
# hostname aixdce16 # cat .k5login sandeep@MSKERBEROS.IN.IBM.COM root@MSKERBEROS.IN.IBM.COM
After creating this file, root should be able to log in successfully using the credentials of sandeep.
Listing 5. Sample output showing successful ssh for root using credentials of sandeep
$klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_204 Default principal: sandeep@MSKERBEROS.IN.IBM.COM Valid starting Expires Service principal 04/13/06 19:41:56 04/14/06 05:37:50 krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM Renew until 04/14/06 19:41:56 $ssh email@example.com ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* #
This article showed how administrators can make use of Kerberized OpenSSH on AIX Version 5.3 systems using Microsoft Active Directory Server as the KDC. If your environment does not use Microsoft Active Directory Server and you wish to use Kerberized OpenSSH on AIX Version 5.3 systems, we recommend you install and configure IBM NAS Version 1.4 Server on one of your AIX systems, which will act as the KDC.
- Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service: Read this white paper to learn about using Kerberos as an alternative authentication mechanism to AIX using Windows 2000/2003 server Kerberos Service.
- "A Kerberos primer" (developerWorks, November 2001): Learn about Kerberos and some of its features.
- "OpenSSH is now bundled with AIX" (developerWorks, February 2006): Read this article for details about the installation and configuration of OpenSSH on AIX.
- OpenSSH and Kerberos Version 5 support: Read this section of the AIX documentation for a good overview.
- OpenSSH: Learn all about OpenSSH.
- Managing AIX Server Farms: Chapter 4 of this IBM Redbook has details about using OpenSSH with AIX.
- AIX and UNIX: Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
- developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Get products and technologies
- AIX Toolbox for Linux Applications: Get open source packages available for installation on AIX 5L.
- Download OpenSSH on AIX.
- AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
- IBM trial software: Build your next development project with software for download directly from developerWorks.
- Participate in the AIX and UNIX forums, developerWorks blogs, and get involved in the developerWorks community.