Steps for setting up user authentication with GSS-API (Kerberos)

About this task

Perform the following steps to perform setup for user authentication with GSS-API.

Procedure


  1. For SSH servers, modify the /etc/ssh/sshd_config file to enable the GSS-API option GSSAPIAuthentication. It is a good idea to also enable option GSSAPIKeyExchange, so that server authentication can be done with GSS-API key exchange if supported by the client.

  2. For SSH client machines, modify the /etc/ssh/ssh_config file to enable the GSSAPI option GSSAPIAuthentication. It is a good idea to also enable option GSSAPIKeyExchange, so that server authentication can be done with GSS-API key exchange if supported by the server. These option may alternatively be enabled in an individual user's ~/.ssh/ssh_config file or by using command line options on the ssh, sftp, or scp commands.

  3. For z/OS machines that run a KDC, refer to z/OS Cryptographic Services ICSF Administrator's Guide to define user local principals for the z/OS userids that run the SSH client. For example:
    ALTUSER userid PASSWORD(password) NOEXPIRED KERB(KERBNAME('userid'))

  4. For z/OS SSH servers where the KDC is not on z/OS, the following command allows you to map a foreign principal to a local z/OS userid:
    RDEFINE KERBLINK /.../foreign.realm/userid APPLDATA('userid')

  5. On the SSH client, use the kinit command to obtain a ticket granting ticket from the KDC. For z/OS client machines running a KDC, the kinit -s command will obtain a ticket for the current z/OS userid without prompting for a password. For z/OS client machines that do not run a KDC, specify the principal name on the kinit command and respond to the prompt for a password.

Results

When you are done, you have performed setup for user authentication with GSS-API.