Steps for setting up user authentication with GSS-API (Kerberos)
About this task
Perform the following steps to perform setup for user authentication with GSS-API.
For SSH servers, modify the
/etc/ssh/sshd_configfile to enable the GSS-API option GSSAPIAuthentication. It is a good idea to also enable option GSSAPIKeyExchange, so that server authentication can be done with GSS-API key exchange if supported by the client.
For SSH client machines, modify the
/etc/ssh/ssh_configfile to enable the GSSAPI option GSSAPIAuthentication. It is a good idea to also enable option GSSAPIKeyExchange, so that server authentication can be done with GSS-API key exchange if supported by the server. These option may alternatively be enabled in an individual user's
~/.ssh/ssh_configfile or by using command line options on the ssh, sftp, or scp commands.
For z/OS machines that run a KDC, refer to z/OS Cryptographic Services ICSF Administrator's Guide to define user local principals for the z/OS userids that run the SSH client. For example:
ALTUSER userid PASSWORD(password) NOEXPIRED KERB(KERBNAME('userid'))
For z/OS SSH servers where the KDC is not on z/OS, the following command allows you to map a foreign principal to a local z/OS userid:
RDEFINE KERBLINK /.../foreign.realm/userid APPLDATA('userid')
On the SSH client, use the kinit command to obtain a ticket granting ticket from the KDC. For z/OS client machines running a KDC, the kinit -s command will obtain a ticket for the current z/OS userid without prompting for a password. For z/OS client machines that do not run a KDC, specify the principal name on the kinit command and respond to the prompt for a password.
When you are done, you have performed setup for user authentication with GSS-API.