The Secure Shell protocol supports client user/host authentication and server host authentication. Cryptographic keys are exchanged for the protection of Secure Shell sessions. Secure Shell provides various methods for authentication and key exchange. Some methods are optional. Client authentication mechanisms are listed in Table 1–1. Servers are authenticated by using known host public keys.
For authentication, Secure Shell supports user authentication and generic interactive authentication, which usually involves passwords. Secure Shell also supports authentication with user public keys and with trusted-host public keys. The keys can be RSA or DSA. Session key exchanges consist of Diffie-Hellman ephemeral key exchanges that are signed in the server authentication step. Additionally, Secure Shell can use GSS credentials for authentication.
To use GSS-API for authentication in Secure Shell, the server must have GSS-API acceptor credentials and the client must have GSS-API initiator credentials. Support is available for mech_dh and for mech_krb5.
The client has initiator credentials for mech_dh if one of the following has been done:
The keylogin command has been run.
The pam_dhkeys module is used in the pam.conf file.
The client has initiator credentials for mech_krb5 if one of the following has been done:
The kinit command has been run.
The pam_krb5 module is used in the pam.conf file.
For more information about the use of mech_dh in secure RPC, see Chapter 10, Configuring Network Services Authentication, in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 . For more information about the use of mech_krb5, see Chapter 2, About the Kerberos Service, in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 . For more information about mechanisms, see the mech(4) and mech_spnego(5) man pages.