Secure communication with Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service

Your data is safe with SSH and IBM Network Authentication Services on Version AIX 5.3

Discover how you can configure the Kerberized Open Secure Shell (OpenSSH) on AIX® Version 5.3 machines that have Microsoft® Active Directory Server to act as the Key Distribution Center (KDC). OpenSSH encrypts traffic, including passwords, to eliminate eavesdropping, taking over your connection, or peeking into your data. If you work in a hybrid environment with multi-vendor solutions on AIX Version 5.3 systems, then you'll find this article extremely useful.

Sandeep Ramesh Patil (rsandeep@in.ibm.com), Staff Software Engineer, EMC

Photo of SandeepRamesh PatilSandeep Ramesh Patil is an Advisory Software Engineer for the IBM India System and Technology Lab. His professional experience has been on distributed technology and security products such as the IBM Network Authentication Services (IBM Kerberos). He is an IBM developerWorks Professional Author with most of his articles on information security. He also plays a active role in IP generation. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at rsandeep@in.ibm.com .



Manish Katiyar, System Software Engineer, EMC

Photo of Manish KatiyarManish Katiyar is a System Software Engineer for the IBM India Software Labs. He has worked for IBM for the past three years, focusing on SARPC, and has experience on Data Warehousing tools (Ab-Initio). Manish holds a Bachelor of Technology degree in Chemical Engineering from the Indian Institute of Technology Kharagpur, India. You can contact him at manish.katiyar@in.ibm.com.



13 June 2006

Also available in Chinese Russian

Introduction

Open Secure Shell (OpenSSH) is a freely available, open source implementation of the widely used SSH tools, which are used worldwide for communicating securely across networks. It eliminates the possibilities of someone sniffing, taking over, or peeking into your private data by encrypting all communication between two machines. OpenSSH also provides many authentication mechanisms for additional security.

Kerberos is a popular authentication mechanism that provides a secure means of authentication for network users, and it is supported by OpenSSH. It prevents transmission of clear text passwords over the network by encrypting authentication messages between clients and servers. Kerberos also provides a system for authorization in the form of administering tokens or credentials. OpenSSH software (openssh-3.8.p1) for IBM AIX® Version 5.3 is shipped with AIX Version 5.3 Expansion Pack CDs. OpenSSH Version 3.8 and later supports Kerberos 5 authentication and authorization through the IBM version of Kerberos, known as IBM Network Authentication Service (IBM NAS) Version 1.4. IBM NAS Version 1.4 for AIX can also be installed from the AIX Version 5.3 Expansion Pack CDs.

Microsoft® Active Directory Service is a key component of the Windows® platform, providing the means for various network management and authentication tasks. Kerberos is an integral part of Windows Active Directory implementation, and it is widely used by enterprises as the Key Distribution Center (KDC) for their Kerberos realm. Microsoft Active Directory Service can be configured on Windows Server 2003 and Windows Server 2000.

This article leads you through the required steps to configure the Kerberized OpenSSH on AIX Version 5.3 machines that have Microsoft Active Directory Server to act as the KDC. This article will prove handy to administrators working in a hybrid environment with multi-vendor solutions comprised of AIX Version 5.3 systems, as well as Microsoft Active Directory Server.

Prerequisites

To follow along with the scenario in this article, you will need to have the Microsoft Active Directory Domain supporting Kerberos service up and running, and you need to successfully configure an AIX IBM NAS Version 1.4 client to it.

OpenSSH and Kerberos (IBM NAS) on AIX Version 5.3

This section goes through the initial steps required to install and configure Kerberos and OpenSSH on AIX server and client machines. Both OpenSSH and Kerberos are shipped with AIX Version 5.3 Expansion Pack CDs. Before installing the OpenSSH installp format packages, you must install the Open Secure Sockets Layer (OpenSSL) software that contains the encrypted library. OpenSSL is available in RPM packages on the AIX Toolbox for Linux® Applications CD, or you can also download the packages from the AIX Toolbox for Linux Applications (see Resources).

Once you've downloaded OpenSSL to a local directory of your AIX Version 5.3 machine (/tmp in this particular case), install it by running the following command:

# geninstall -d/tmp R:openssl-0.9.6m

You can install OpenSSH using either of the following methods:

smitty->Software Installation and Maintenance->Install and 
    Update Software->Install Software

Or

# geninstall -I"Y" -d/dev/cd0 I:openssh.base

Install the IBM NAS Version 1.4 client and configure it to the Kerberos realm (Active Directory domain), hosted by Microsoft Active Directory Server, acting as the KDC. For details on IBM NAS client installation and its configuration to Microsoft Active Directory Server, read the AIX white paper "Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service" (see Resources).

After successful installation and configuration of the IBM NAS client, you need to configure OpenSSH to use Kerberos for authentication.

Edit the /etc/services file to have following entries:

kerberos      88/udp    kdc    # Kerberos V5 KDC
kerberos      88/tcp    kdc    # Kerberos V5 KDC
kerberos-adm  749/tcp          # Kerberos 5 admin/changepw
kerberos-adm  749/udp          # Kerberos 5 admin/changepw

Uncomment the following entries in /etc/ssh/sshd_config to enable the SSH daemon to use Kerberos as the authentication mechanism:

KerberosAuthentication yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes

Start the SSH server with the following command:

#startsrc -g ssh

Verify that the SSH server has been started properly using the following command:

#ps -ef|grep ssh

Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service

This section describes a scenario that leads you through the required steps to make the Kerberized SSH, configured on AIX Version 5.3 machines (having Microsoft Active Directory Server), act as the KDC.

It is assumed that you already have Microsoft Active Directory Domain supporting Kerberos service up and running, and that you've successfully configured the AIX IBM NAS Version 1.4 client to it. For detailed information on configuring the IBM NAS Version 1.4 client to Microsoft Active Directory Server, see the IBM NAS Version 1.4 Administration Guide (shipped with AIX Version 5.3 Expansion Pack CD) and the IBM white paper in the Resources section.

For information on installation and configuration of Microsoft Active Directory Server, see the appropriate Microsoft documentation on how to configure a Microsoft Active Directory Server.

The following definitions will be used in the following example:

Kerberos Realm Name / Domain Name            
   MSKERBEROS.IN.IBM.COM 
KDC (Windows Active Directory Server)        
   hostname: windce20.in.ibm.com, OS: Windows 2003 Server 
SSH Server (sshd)                            
   hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3 
SSH Client                                   
   hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3         
IBM NAS 1.4 Client                           
   hostname: aixdce16.in.ibm.com, OS: AIX Version 5.3  &
   hostname: aixdce20.in.ibm.com, OS: AIX Version 5.3

Figure 1 shows the setup of the example.

Figure 1. Example setup
Example setup

You need to implement the following steps to configure Kerberized SSH on the AIX machines with IBM NAS client for AIX configured to Microsoft Active Directory Server.

  1. On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account corresponding to the AIX machine running the SSH server. In this case, it is aixdce16.in.ibm.com.
    1. Open the dialog box to create a new user from the Users folder and complete the following entries:
      • First Name = aixdce16.in.ibm.com
      • Full Name = aixdce16.in.ibm.com
      • User logon Name = aixdce16.in.ibm.com
      • User logon Name (pre-Windows 2000) = aixdce16.in.ibm.com
    2. Provide the Password and choose appropriate check boxes in the password panel.
    3. Select Finish to complete the user creation.
  2. Use the Ktpass command from the command line on the Windows Server 2003 machine (windce20.in.ibm.com) to create the krb5.keytab file, and set up the account for the AIX host (aixdce16.in.ibm.com), as follows:
    Ktpass -princ host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM -mapuser 
       aixdce16.in.ibm.com -pass !sandeep17! -out c:\krb5.keytab
  3. Copy the krb5.keytab file created in Step 2 above to the AIX host system (in this example, copy/ftp it to aixdce16.in.ibm.com) to the /tmp directory. Merge the /tmp/krb5.keytab file into the /etc/krb5/krb5.keytab file on the AIX system. Make sure that the keytab file (/etc/krb5/krb5.keytab) contains the required Kerberos server principal entry with proper key version number. If it does, start the SSH server on the AIX machine (aixdce16.in.ibm.com), as shown below.

    Listing 1. Setting up of keytab files on AIX

    # hostname
    aixdce16
    # ktutil
    ktutil: rkt /tmp/krb5.keytab
    ktutil: wkt /etc/krb5/krb5.keytab
    ktutil: q 
    # kvno host/aixdce16.in.ibm.com 
    kvno = 1 
    # klist -k 
    Keytab name:  FILE:/etc/krb5/krb5.keytab 
    KVNO Principal 
    ---- --------- 
       1 host/aixdce16.in.ibm.com@MSKERBEROS.IN.IBM.COM 
    # startsrc -g ssh 
    0513-059 The sshd Subsystem has been started. Subsystem PID is 22698.

    Make sure that the key version number obtained by the kvno command matches with the one shown by the klist -k command for the host/<hostname> principal entry. If they do not match, you might be required to add a new entry for host/<hostname> principal in the keytab file matching the key version number.

  4. On the Windows Active Directory Server, use the Active Directory Management tool to create a new user account with the name matching the user name of a user account present on the AIX machines. In this example, we created a user account with name "sandeep" that is also present on both the AIX machines. See Step 1 above for information on how to create a user account on the Windows Active Directory Server.

Testing the setup

Now you're ready to test the setup and use the Kerberized SSH.

  1. Log on to aixdce20.in.ibm.com (SSH client) with username sandeep.
  2. Get the valid Kerberos credentials for sandeep using the kinit command.
  3. ssh to aixdce16.in.ibm.com running the SSH server.

Listing 2 below shows the sequence of commands executed on aixdce20.in.ibm.com, which resulted in a secure shell establishment to aixdce16.in.ibm.com using Kerberos as the authentication mechanisms with Microsoft Active Directory Server acting as the KDC.

Listing 2. Sample output showing successful ssh using Kerberos authentication
# hostname
aixdce20
# whoami
sandeep
# kinit sandeep
Password for sandeep@MSKERBEROS.IN.IBM.COM:
# klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

Valid starting     Expires            Service principal
03/27/06 17:40:28  03/28/06 03:40:34  krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM
        Renew until 03/28/06 17:40:28
# ssh aixdce16.in.ibm.com
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
$ hostname
aixdce16
$ whoami
sandeep
$ pwd
/home/sandeep
$ exit
Connection to aixdce16.in.ibm.com closed.
# hostname
aixdce20
# klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

You've got the valid credentials from KDC for principal name sandeep, so let's try to log in as principal root, as shown in Listing 3.

Listing 3. Sample output showing unsuccessful ssh for root
#ssh -v root@aixdce16.in.ibm.com
OpenSSH_3.8.1p1, OpenSSL 0.9.6m 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to aixdce16.in.ibm.com [9.182.192.116] port 22.
debug1: Connection established.
..
..
..
debug1: Next authentication method: password
root@aixdce16.in.ibm.com's password:
Connection closed by 9.182.192.116

The debug message, Connection established, indicates that even though the authentication as root was successful with the credentials for principal sandeep, authorization fails even if you specify the correct password. This is because Kerberos found that the principal sandeep@MSKERBEROS.IN.IBM.COM was not allowed to access as root. By creating a file in aixdce16.in.ibm.com:~root/.k5login and adding sandeep's principal in it, root can authorize using sandeep's principal.

Since the .k5login file overrides the default authorization rule, root also needs to place its own principal in there, or it will not be able to log in using the principal. Listing 4 below shows the contents of .k5login file in root's home directory on aixdce16.in.ibm.com.

Listing 4. Sample output showing the contents of .k5login in root's home directory
# hostname
aixdce16
# cat .k5login
sandeep@MSKERBEROS.IN.IBM.COM
root@MSKERBEROS.IN.IBM.COM

After creating this file, root should be able to log in successfully using the credentials of sandeep.

Listing 5. Sample output showing successful ssh for root using credentials of sandeep
$klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_204
Default principal:  sandeep@MSKERBEROS.IN.IBM.COM

Valid starting     Expires            Service principal
04/13/06 19:41:56  04/14/06 05:37:50 krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COM
        Renew until 04/14/06 19:41:56
$ssh root@aixdce16.in.ibm.com
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
#

Summary

This article showed how administrators can make use of Kerberized OpenSSH on AIX Version 5.3 systems using Microsoft Active Directory Server as the KDC. If your environment does not use Microsoft Active Directory Server and you wish to use Kerberized OpenSSH on AIX Version 5.3 systems, we recommend you install and configure IBM NAS Version 1.4 Server on one of your AIX systems, which will act as the KDC.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=128465
ArticleTitle=Secure communication with Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service
publish-date=06132006