Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
Oracle Solaris Secure Shell (Overview)
Oracle Solaris Secure Shell Authentication
Secure Shell in the Enterprise
Oracle Solaris Secure Shell and the OpenSSH Project
Oracle Solaris Secure Shell (Task Map)
Configuring Oracle Solaris Secure Shell (Task Map)
Configuring Oracle Solaris Secure Shell (Tasks)
Using Oracle Solaris Secure Shell (Task Map)
Using Oracle Solaris Secure Shell (Tasks)
How to Generate a Public/Private Key Pair for Use With Secure Shell
How to Change the Passphrase for a Secure Shell Private Key
How to Log In to a Remote Host With Secure Shell
How to Reduce Password Prompts in Secure Shell
How to Set Up the ssh-agent Command to Run Automatically in CDE
How to Use Port Forwarding in Secure Shell
How to Copy Files With Secure Shell
How to Set Up Default Connections to Hosts Outside a Firewall
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
By default, host-based authentication and the use of both protocols are not enabled in Secure Shell. Changing these defaults requires administrative intervention. Also, for port forwarding to work requires administrative intervention.
The following procedure sets up a public key system where the client's public key is used for authentication on the server. The user must also create a public/private key pair.
In the procedure, the terms client and local host refer to the machine where a user types the ssh command. The terms server and remote host refer to the machine that the client is trying to reach.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
In the client configuration file, /etc/ssh/ssh_config, type the following entry:
HostbasedAuthentication yes
For the syntax of the file, see the ssh_config(4) man page
In the server configuration file, /etc/ssh/sshd_config, type the same entry:
HostbasedAuthentication yes
For the syntax of the file, see the sshd_config(4) man page
For more information, see the FILES section of the sshd(1M) man page.
client-host
client-host
Set IgnoreRhosts to no in the /etc/ssh/sshd_config file.
## sshd_config IgnoreRhosts no
## sshd_config IgnoreUserKnownHosts no
For user instructions, see How to Generate a Public/Private Key Pair for Use With Secure Shell.
The host keys are stored in the /etc/ssh directory. The keys are typically generated by the sshd daemon on first boot.
On the client, type the command on one line with no backslash.
# cat /etc/ssh/ssh_host_dsa_key.pub | ssh RemoteHost \ 'cat >> /etc/ssh/ssh_known_hosts && echo "Host key copied"'
When the file is copied, the message “Host key copied” is displayed.
Each line in the /etc/ssh/ssh_known_hosts file consists of fields that are separated by spaces:
hostnames algorithm-name publickey comment
## /etc/ssh/ssh_known_hosts File RemoteHost <copied entry>
Example 19-1 Setting Up Host-based Authentication
In the following example, each host is configured as a server and as a client. A user on either host can initiate an ssh connection to the other host. The following configuration makes each host a server and a client:
On each host, the Secure Shell configuration files contain the following entries:
## /etc/ssh/ssh_config HostBasedAuthentication yes # ## /etc/ssh/sshd_config HostBasedAuthentication yes IgnoreRhosts no
On each host, the shosts.equiv file contains an entry for the other host:
## /etc/ssh/shosts.equiv on machine2 machine1
## /etc/ssh/shosts.equiv on machine1 machine2
The public key for each host is in the /etc/ssh/ssh_known_hosts file on the other host:
## /etc/ssh/ssh_known_hosts on machine2 … machine1
## /etc/ssh/ssh_known_hosts on machine1 … machine2
Users have an account on both hosts:
## /etc/passwd on machine1 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh
## /etc/passwd on machine2 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh
This procedure is useful when a host interoperates with hosts that run v1 and v2.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Edit the /etc/ssh/sshd_config file.
# Protocol 2 Protocol 2,1
Add a HostKey entry to the /etc/ssh/sshd_config file.
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa1_key
# ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa1_key -N ''
Indicates the RSA algorithm for v1.
Indicates the file that holds the host key.
Indicates that no passphrase is required.
# svcadm restart network/ssh:default
You can also reboot the system.
Port forwarding enables a local port be forwarded to a remote host. Effectively, a socket is allocated to listen to the port on the local side. Similarly, a port can be specified on the remote side.
Note - Secure Shell port forwarding must use TCP connections. Secure Shell does not support UDP connections for port forwarding.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Change the value of AllowTcpForwarding to yes in the /etc/ssh/sshd_config file.
# Port forwarding AllowTcpForwarding yes
remoteHost# svcadm restart network/ssh:default
For information on managing persistent services, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration and the svcadm(1M) man page.
remoteHost# /usr/bin/pgrep -lf sshd 1296 ssh -L 2001:remoteHost:23 remoteHost