About this task
Perform the following steps to perform setup for user
authentication with GSS-API.
Procedure
For SSH servers, modify the /etc/ssh/sshd_config
file
to enable the GSS-API option GSSAPIAuthentication.
It is a good idea to also enable option GSSAPIKeyExchange,
so that server authentication can be done with GSS-API key exchange
if supported by the client.
For SSH client machines, modify the /etc/ssh/ssh_config
file
to enable the GSSAPI option GSSAPIAuthentication.
It is a good idea to also enable option GSSAPIKeyExchange,
so that server authentication can be done with GSS-API key exchange
if supported by the server. These option may alternatively be enabled
in an individual user's ~/.ssh/ssh_config
file or
by using command line options on the ssh, sftp,
or scp commands.
For z/OS SSH servers where the KDC is not on
z/OS, the following command allows you to map a foreign principal
to a local z/OS userid:
RDEFINE KERBLINK /.../foreign.realm/userid APPLDATA('userid')
On the SSH client, use the kinit command
to obtain a ticket granting ticket from the KDC. For z/OS client machines
running a KDC, the kinit -s command will obtain
a ticket for the current z/OS userid without prompting for a password.
For z/OS client machines that do not run a KDC, specify the principal
name on the kinit command and respond to the prompt
for a password.
Results
When you are done, you have performed setup for user authentication
with GSS-API.