Secure communication with Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service

Your data is safe with SSH and IBM Network Authentication Services on Version AIX 5.3

Sandeep Ramesh Patil (rsandeep@in.ibm.com), Staff Software Engineer, IBM

Sandeep Ramesh Patil is a Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past seven years, focusing on distributed technology including DCE, SARPC, and security products such as the IBM Network Authentication Services (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at sandeep.patil@in.ibm.com.

Manish Katiyar (manish.katiyar@in.ibm.com), System Software Engineer, IBM

Manish Katiyar is a System Software Engineer for the IBM India Software Labs. He has worked for IBM for the past three years, focusing on SARPC, and has experience on Data Warehousing tools (Ab-Initio). Manish holds a Bachelor of Technology degree in Chemical Engineering from the Indian Institute of Technology Kharagpur, India. You can contact him at manish.katiyar@in.ibm.com.

Summary: Discover how you can configure the Kerberized Open Secure Shell (OpenSSH) on AIX® Version 5.3 machines that have Microsoft® Active Directory Server to act as the Key Distribution Center (KDC). OpenSSH encrypts traffic, including passwords, to eliminate eavesdropping, taking over your connection, or peeking into your data. If you work in a hybrid environment with multi-vendor solutions on AIX Version 5.3 systems, then you'll find this article extremely useful.

Tag this!

Date: 13 Jun 2006
Level: Intermediate
Activity: 2349 views

Introduction

Open Secure Shell (OpenSSH) is a freely available, open source implementation of the widely used SSH tools, which are used worldwide for communicating securely across networks. It eliminates the possibilities of someone sniffing, taking over, or peeking into your private data by encrypting all communication between two machines. OpenSSH also provides many authentication mechanisms for additional security.

Kerberos is a popular authentication mechanism that provides a secure means of authentication for network users, and it is supported by OpenSSH. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. Kerberos also provides a system for authorization in the form of administering tokens or credentials. OpenSSH software (openssh-3.8.p1) for IBM AIX® Version 5.3 is shipped with AIX Version 5.3 Expansion Pack CDs. OpenSSH Version 3.8 and later supports Kerberos 5 authentication and authorization through the IBM version of Kerberos, known as IBM Network Authentication Service (IBM NAS) Version 1.4. IBM NAS Version 1.4 for AIX can also be installed from the AIX Version 5.3 Expansion Pack CDs.

Microsoft® Active Directory Service is a key component of the Windows® platform, providing the means for various network management and authentication tasks. Kerberos is an integral part of Windows Active Directory implementation, and it is widely used by enterprises as the Key Distribution Center (KDC) for their Kerberos realm. Microsoft Active Directory Service can be configured on Windows Server 2003 and Windows Server 2000.

This article leads you through the required steps to configure the Kerberized OpenSSH on AIX Version 5.3 machines that have Microsoft Active Directory Server to act as the KDC. This article will prove handy to administrators working in a hybrid environment with multi-vendor solutions comprised of AIX Version 5.3 systems, as well as Microsoft Active Directory Server.

Prerequisites

To follow along with the scenario in this article, you will need to have the Microsoft Active Directory Domain supporting Kerberos service up and running, and you need to successfully configure an AIX IBM NAS Version 1.4 client to it.

OpenSSH and Kerberos (IBM NAS) on AIX Version 5.3

This section goes through the initial steps required to install and configure Kerberos and OpenSSH on AIX server and client machines. Both OpenSSH and Kerberos are shipped with AIX Version 5.3 Expansion Pack CDs. Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the AIX Toolbox for Linux Applications (see Resources).

Once you've downloaded OpenSSL to a local directory of your AIX Version 5.3 machine (/tmp in this particular case), install it by running the following command:

# geninstall -d/tmp R:openssl-0.9.6m

You can install OpenSSH using either of the following methods:

smitty->Software Installation and Maintenance->Install and 
    Update Software->Install Software

# geninstall -I"Y" -d/dev/cd0 I:openssh.base

Install the IBM NAS Version 1.4 client and configure it to the Kerberos realm (Active Directory domain), hosted by Microsoft Active Directory Server, acting as the KDC. For details on IBM NAS client installation and its configuration to Microsoft Active Directory Server, read the AIX white paper "Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service" (see Resources).

After successful installation and configuration of the IBM NAS client, you need to configure OpenSSH to use Kerberos for authentication.

Edit the /etc/services file to have following entries:

kerberos      88/udp    kdc    # Kerberos V5 KDC
kerberos      88/tcp    kdc    # Kerberos V5 KDC
kerberos-adm  749/tcp          # Kerberos 5 admin/changepw
kerberos-adm  749/udp          # Kerberos 5 admin/changepw

Uncomment the following entries in /etc/ssh/sshd_config to enable the SSH daemon to use Kerberos as the authentication mechanism:

KerberosAuthentication yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes

Start the SSH server with the following command:

#startsrc -g ssh

Verify that the SSH server has been started properly using the following command:

#ps -ef|grep ssh

Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service

This section describes a scenario that leads you through the required steps to make the Kerberized SSH, configured on AIX Version 5.3 machines (having Microsoft Active Directory Server), act as the KDC.

It is assumed that you already have Microsoft Active Directory Domain supporting Kerberos service up and running, and that you've successfully configured the AIX IBM NAS Version 1.4 client to it. For detailed information on configuring the IBM NAS Version 1.4 client to Microsoft Active Directory Server, see the IBM NAS Version 1.4 Administration Guide (shipped with AIX Version 5.3 Expansion Pack CD) and the IBM white paper in the Resources section.

For information on installation and configuration of Microsoft Active Directory Server, see the appropriate Microsoft documentation on how to configure a Microsoft Active Directory Server.

The following definitions will be used in the following example:

Kerberos Realm Name / Domain Name            
   MSKERBEROS.IN.IBM.COM 
KDC (Windows Active Directory Server)        
   hostname: windce20.in.ibm.com, OS: Windows 2003 Server 
SSH Server (sshd)                            
   hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3 
SSH Client                                   
   hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3         
IBM NAS 1.4 Client                           
   hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3  &
   hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3

Figure 1 shows the setup of the example.

Figure 1. Example setup

You need to implement the following steps to configure Kerberized SSH on the AIX machines with IBM NAS client for AIX configured to Microsoft Active Directory Server.

On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account corresponding to the AIX machine running the SSH server. In this case, it is aixdce16.in.ibm.com.
1. Open the dialog box to create a new user from the Users folder and complete the following entries:
2. Provide the Password and choose appropriate check boxes in the password panel.
3. Select Finish to complete the user creation.
Use the Ktpass command from the command line on the Windows Server 2003 machine (windce20.in.ibm.com) to create the krb5.keytab file, and set up the account for the AIX host (aixdce16.in.ibm.com), as follows:
Ktpass -princ host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM -mapuser aixdce16.in.ibm.com -pass !sandeep17! -out c:\krb5.keytab

Copy the krb5.keytab file created in Step 2 above to the AIX host system (in this example, copy/ftp it to aixdce16.in.ibm.com) to the /tmp directory. Merge the /tmp/krb5.keytab file into the /etc/krb5/krb5.keytab file on the AIX system. Make sure that the keytab file (/etc/krb5/krb5.keytab) contains the required Kerberos server principal entry with proper key version number. If it does, start the SSH server on the AIX machine (aixdce16.in.ibm.com), as shown below.

Listing 1. Setting up of keytab files on AIX

# hostname
aixdce16
# ktutil
ktutil: rkt /tmp/krb5.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q 
# kvno host/aixdce16.in.ibm.com 
kvno = 1 
# klist -k 
Keytab name:  FILE:/etc/krb5/krb5.keytab 
KVNO Principal 
---- --------- 
   1 host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM 
# startsrc -g ssh 
0513-059 The sshd Subsystem has been started. Subsystem PID is 22698.

Make sure that the key version number obtained by the kvno command matches with the one shown by the klist -k command for the host/<hostname> principal entry. If they do not match, you might be required to add a new entry for host/<hostname> principal in the keytab file matching the key version number.

On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account with the name matching the user name of a user account present on the AIX machines. In this example, we created a user account with name "sandeep" that is also present on both the AIX machines. See Step 1 above for information on how to create a user account on the Windows Active Directory Server.

Testing the setup

Now you're ready to test the setup and use the Kerberized SSH.

Log on to aixdce20.in.ibm.com (SSH client) with username sandeep.
Get the valid Kerberos credentials for sandeep using the kinit command.
ssh to aixdce16.in.ibm.com running the SSH server.

Listing 2 below shows the sequence of commands executed on aixdce20.in.ibm.com, which resulted in a secure shell establishment to aixdce16.in.ibm.com using Kerberos as the authentication mechanisms with Microsoft Active Directory Server acting as the KDC.

Listing 2. Sample output showing successful ssh using Kerberos authentication

# hostname
aixdce20
# whoami
sandeep
# kinit sandeep
Password for sandeep@MSKERBEROS.IN.IBM.COM:
# klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

Valid starting     Expires            Service principal
03/27/06 17:40:28  03/28/06 03:40:34  krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM
        Renew until 03/28/06 17:40:28
# ssh aixdce16.in.ibm.com
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
$ hostname
aixdce16
$ whoami
sandeep
$ pwd
/home/sandeep
$ exit
Connection to aixdce16.in.ibm.com closed.
# hostname
aixdce20
# klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

You've got the valid credentials from KDC for principal name sandeep, so let's try to log in as principal root, as shown in Listing 3.

Listing 3. Sample output showing unsuccessful ssh for root

#ssh -v root@aixdce16.in.ibm.com
OpenSSH_3.8.1p1, OpenSSL 0.9.6m 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to aixdce16.in.ibm.com [9.182.192.116] port 22.
debug1: Connection established.
..
..
..
debug1: Next authentication method: password
root@aixdce16.in.ibm.com's password:
Connection closed by 9.182.192.116

The debug message, Connection established, indicates that even though the authentication as root was successful with the credentials for principal sandeep, authorization fails even if you specify the correct password. This is because Kerberos found that the principal sandeep@MSKERBEROS.IN.IBM.COM was not allowed to access as root. By creating a file in aixdce16.in.ibm.com:~root/.k5login and adding sandeep's principal in it, root can authorize using sandeep's principal.

Since the .k5login file overrides the default authorization rule, root also needs to place its own principal in there, or it will not be able to log in using the principal. Listing 4 below shows the contents of .k5login file in root's home directory on aixdce16.in.ibm.com.

Listing 4. Sample output showing the contents of .k5login in root's home directory

# hostname
aixdce16
# cat .k5login
sandeep@MSKERBEROS.IN.IBM.COM
root@MSKERBEROS.IN.IBM.COM

After creating this file, root should be able to log in successfully using the credentials of sandeep.

Listing 5. Sample output showing successful ssh for root using credentials of sandeep

$klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_204
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

Valid starting     Expires            Service principal
04/13/06 19:41:56  04/14/06 05:37:50 krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM
        Renew until 04/14/06 19:41:56
$ssh root@aixdce16.in.ibm.com
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
#

Summary

This article showed how administrators can make use of Kerberized OpenSSH on AIX Version 5.3 systems using Microsoft Active Directory Server as the KDC. If your environment does not use Microsoft Active Directory Server and you wish to use Kerberized OpenSSH on AIX Version 5.3 systems, we recommend you install and configure IBM NAS Version 1.4 Server on one of your AIX systems, which will act as the KDC.

Resources

Learn

Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service: Read this white paper to learn about using Kerberos as an alternative authentication mechanism to AIX using Windows 2000/2003 server Kerberos Service.
"A Kerberos primer" (developerWorks, November 2001): Learn about Kerberos and some of its features.
"OpenSSH is now bundled with AIX" (developerWorks, February 2006): Read this article for details about the installation and configuration of OpenSSH on AIX.
OpenSSH and Kerberos Version 5 support: Read this section of the AIX documentation for a good overview.
OpenSSH: Learn all about OpenSSH.
Managing AIX Server Farms: Chapter 4 of this IBM Redbook has details about using OpenSSH with AIX.
AIX and UNIX: Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.

Get products and technologies

AIX Toolbox for Linux Applications: Get open source packages available for installation on AIX 5L.
Download OpenSSH on AIX.
AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
IBM trial software: Build your next development project with software for download directly from developerWorks.

Discuss

Participate in the AIX and UNIX forums, developerWorks blogs, and get involved in the developerWorks community.

About the authors

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=AIX and UNIX

ArticleID=128465

ArticleTitle=Secure communication with Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service

publish-date=06132006

author1-email=rsandeep@in.ibm.com

author1-email-cc=

author2-email=manish.katiyar@in.ibm.com

author2-email-cc=