JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

Secure Shell (Overview)

Secure Shell Authentication

Secure Shell in the Enterprise

Secure Shell and the OpenSSH Project

Secure Shell and FIPS-140

Configuring Secure Shell (Tasks)

Configuring Secure Shell (Task Map)

How to Set Up Host-Based Authentication for Secure Shell

How to Configure Port Forwarding in Secure Shell

How to Create User and Host Exceptions to Secure Shell Defaults

How to Create an Isolated Directory for sftp Files

Using Secure Shell (Tasks)

Using Secure Shell (Task Map)

How to Generate a Public/Private Key Pair for Use With Secure Shell

How to Change the Passphrase for a Secure Shell Private Key

How to Log In to a Remote Host With Secure Shell

How to Reduce Password Prompts in Secure Shell

How to Remotely Administer ZFS With Secure Shell

How to Use Port Forwarding in Secure Shell

How to Copy Files With Secure Shell

How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Secure Shell (Overview)

Secure Shell in Oracle Solaris is built on top of the Open Source toolkit, OpenSSL, which implements the Secure Sockets Layer and Transport Layer Security.

Two distinct versions of the toolkit are available in Oracle Solaris.

In Secure Shell, authentication is provided by the use of passwords, public keys, or both. All network traffic is encrypted. Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication. Secure Shell also prevents an adversary from spoofing the system.

Secure Shell can also be used as an on-demand virtual private network (VPN). A VPN can forward X Window system traffic or can connect individual port numbers between the local machines and remote machines over an encrypted network link.

With Secure Shell, you can perform these actions:

On the server side, Secure Shell supports Version 2 (v2) of the Secure Shell protocol. On the client side, in addition to v2, the client supports Version 1 (v1). For information about v1, see System Administration Guide: Security Services.

Secure Shell Authentication

Secure Shell provides public key and password methods for authenticating the connection to the remote host. Public key authentication is a stronger authentication mechanism than password authentication, because the private key never travels over the network.

The authentication methods are tried in the following order. When the configuration does not satisfy an authentication method, the next method is tried.

The following table shows the requirements for authenticating a user who is trying to log into a remote host. The user is on the local host, the client. The remote host, the server, is running the sshd daemon. The table shows the Secure Shell authentication methods, the compatible protocol versions, and the host requirements.

Table 15-1 Authentication Methods for Secure Shell

Authentication Method
Local Host (Client) Requirements
Remote Host (Server) Requirements
GSS-API
Initiator credentials for the GSS mechanism.
Acceptor credentials for the GSS mechanism. For more information, see Acquiring GSS Credentials in Secure Shell.
Host-based
User account

Local host private key in /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key

HostbasedAuthentication yes in /etc/ssh/ssh_config

User account

Local host public key in /etc/ssh/known_hosts or ~/.ssh/known_hosts

HostbasedAuthentication yes in /etc/ssh/sshd_config

IgnoreRhosts no in /etc/ssh/sshd_config

Local host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.rhosts, or ~/.shosts

RSA or DSA public key
User account

Private key in ~/.ssh/id_rsa or ~/.ssh/id_dsa

User's public key in ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub

User account

User's public key in ~/.ssh/authorized_keys

Password-based
User account
User account

Supports PAM.

.rhosts with RSA (v1) on server only
User account

Local host public key in /etc/ssh/ssh_host_rsa1_key

User account

Local host public key in /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts

IgnoreRhosts no in /etc/ssh/sshd_config

Local host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.shosts, or ~/.rhosts

Secure Shell in the Enterprise

For a comprehensive discussion of Secure Shell on an Oracle Solaris system, see Secure Shell in the Enterprise, by Jason Reid, ISBN 0-13-142900-0, June 2003. The book is part of the Sun BluePrints Series published by Sun Microsystems Press.