| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
Secure Shell in the Enterprise
Configuring Secure Shell (Task Map)
Configuring Secure Shell (Tasks)
How to Set Up Host-Based Authentication for Secure Shell
How to Configure Port Forwarding in Secure Shell
How to Generate a Public/Private Key Pair for Use With Secure Shell
How to Change the Passphrase for a Secure Shell Private Key
How to Log In to a Remote Host With Secure Shell
How to Reduce Password Prompts in Secure Shell
How to Set Up the ssh-agent Command to Run Automatically in CDE
How to Use Port Forwarding in Secure Shell
How to Copy Files With Secure Shell
How to Set Up Default Connections to Hosts Outside a Firewall
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
The Secure Shell in Oracle Solaris is a fork of the OpenSSH project. Security fixes for vulnerabilities that are discovered in later versions of OpenSSH are integrated into Secure Shell, as are individual bug fixes and features. Internal development continues on the Secure Shell fork.
While Oracle Solaris engineers provide bug fixes to the project, they have also integrated the following features into the Oracle Solaris fork of Secure Shell:
PAM - Secure Shell uses PAM. The OpenSSH UsePAM configuration option is not supported.
Privilege separation - Secure Shell does not use the privilege separation code from the OpenSSH project. Secure Shell separates the processing of auditing, record keeping and re-keying from the processing of the session protocols.
Secure Shell privilege separation code is always on and cannot be switched off. The OpenSSH UsePrivilegeSeparation option is not supported.
Locale - Secure Shell fully supports language negotiation as defined in RFC 4253, Secure Shell Transfer Protocol. After the user logs in, the user's login shell profile can override the Secure Shell negotiated locale settings.
Auditing - Secure Shell is fully integrated into the Oracle Solaris auditing subsystem. For information on auditing, see Part VII, Auditing in Oracle Solaris.
GSS-API support - GSS-API can be used for user authentication and for initial key exchange. The GSS-API is defined in RFC4462, Generic Security Service Application Program Interface.
Proxy commands - Secure Shell provides proxy commands for SOCKS5 and HTTP protocols. For an example, see How to Set Up Default Connections to Hosts Outside a Firewall.
Since the Solaris 9 release, the following specific changes have been introduced to Secure Shell:
Secure Shell is forked from OpenSSH 3.5p1.
The default value of X11Forwarding is yes in the /etc/ssh/sshd_config file.
The following keywords have been introduced:
GSSAPIAuthentication
GSSAPIKeyExchange
GSSAPIDelegateCredentials
GSSAPIStoreDelegatedCredentials
KbdInteractiveAuthentication
The GSSAPI keywords enable Secure Shell to use GSS credentials for authentication. The KbdInteractiveAuthentication keyword supports arbitrary prompting and password changing in PAM. For a complete list of keywords and their default values, see Keywords in Secure Shell.
The ARCFOUR and AES128-CTR ciphers are now available. ARCFOUR is also known as RC4. The AES cipher is AES in counter mode.
The sshd daemon uses the variables in /etc/default/login and the login command. The /etc/default/login variables can be overridden by values in the sshd_config file. For more information, see Secure Shell and Login Environment Variables and the sshd_config(4) man page.
The ChrootDirectory option on the server enables the server, once the connection is authenticated, to chroot the connected clients to the directory that the option specifies. This option supports an in-process SFTP server , that is, internal SFTP, whose configurations are simplified by using the ChrootDirectory option.
|