Managing Secure Shell Access in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014

Secure Shell Authentication

Secure Shell provides public key and password methods for authenticating the connection to the remote host. Public key authentication is a stronger authentication mechanism than password authentication because the private key never travels over the network.

The authentication methods are tried in the following order. When the configuration does not satisfy an authentication method, the next method is tried.

  • GSS-API – Uses credentials for GSS-API mechanisms such as mech_krb5 (Kerberos V) and mech_dh (AUTH_DH) to authenticate clients and servers. For more information about GSS-API, see Introduction to GSS-API in Developer’s Guide to Oracle Solaris 11 Security .

  • Host-based authentication – Uses host keys and rhosts files. Uses the client's RSA and DSA public/private host keys to authenticate the client. Uses the rhosts files to authorize clients to users.

  • Public key authentication – Authenticates users with their RSA and DSA public/private keys.

  • Password authentication – Uses PAM to authenticate users. Keyboard authentication method in v2 allows for arbitrary prompting by PAM. For more information, see the SECURITY section in the sshd(1M) man page.

The following table shows the requirements for authenticating a user who is trying to log into a remote host. The user is on the local host, the client. The remote host, the server, is running the sshd daemon. The table shows the Secure Shell authentication methods and the host requirements.

Table 1-1  Authentication Methods for Secure Shell
Authentication Method
Local Host (Client) Requirements
Remote Host (Server) Requirements
Initiator credentials for the GSS mechanism.
Acceptor credentials for the GSS mechanism. For more information, see Acquiring GSS Credentials in Secure Shell.
User account
Local host private key in /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key
HostbasedAuthentication yes in /etc/ssh/ssh_config
User account
Local host public key in /etc/ssh/known_hosts or ~/.ssh/known_hosts
HostbasedAuthentication yes in /etc/ssh/sshd_config
IgnoreRhosts no in /etc/ssh/sshd_config
Local host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.rhosts, or ~/.shosts
User account
User account
Supports PAM.
.rhosts with RSA (v1) on server only
User account
Local host public key in /etc/ssh/ssh_host_rsa1_key
User account
Local host public key in /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts
IgnoreRhosts no in /etc/ssh/sshd_config
Local host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.shosts, or ~/.rhosts
RSA or DSA public key
User account
Private key in ~/.ssh/id_rsa or ~/.ssh/id_dsa
User's public key in ~/.ssh/ or ~/.ssh/
User account
User's public key in ~/.ssh/authorized_keys