Implementation Guide › Installing and Customizing a UNAB Host › Before You Begin › Kerberos and SSO Considerations

Kerberos and SSO Considerations

You can install and register UNAB on a Kerberos enabled endpoint to leverage the Kerberos Single Sign On (SSO) service to authenticate once and log into multiple endpoints with the same user credentials. If not configured, you enable SSO functionality on the endpoint by installing and configuring Kerberized network services and applications.

Because configurations differ between systems, we strongly recommend that you do the following before you enable Kerberos and SSO on the endpoint:

• Read the system man pages and release specific options of native application service binaries, that you plan to use in SSO, especially the following:
  • sshd(1M)
  • telnetd
  • in.telnetd
  • inetd
  • pam.conf
  • inetd.sec
• Verify the PATH variable of the Kerberos supported versions of network applications. For example, on most Linux systems Kerberos tools are located under the /usr/Kerberos directory.
• Verify that the following Kerberos supported applications are configured as follow:
  • SSH—support credentials delegation, for example, set the GSSAPIDelegateCredentials token to yes
  • SSHD—support and enable GSSAPIAuthentication token
  • Telnet—on Solaris, PAM stack configured and Kerberos configuration and keytab files made available. Create a symbolic link or environment variable KRB5_CONFIG and KRB5_KTNAME to make the keytab files available
  • rlogin—install a Kerberos supported version of the application.

Note: For more system-specific Kerberos and SSO configuration, see your system documentation.

Example: Configure Kerberos on Solaris

The following example shows you the configuration required to configure Kerberos on Solaris. In this example, you install and configure Solaris packages to enable Kerberos.

Important! You may need to install and configure additional packages to configure the system you are using for Kerberos.

• Install the SUNWcry package to enable strong encryption
• On Solaris 10, SSH does not support GSSAPIDelegateCredentials
• Enable svc:/network/shell:kshell, svc:/network/login:klogin, svc:/network/telnet:default to use rsh, rlogin, and telnet services
• Modify the /etc/pam.conf file to handle Kerberos authentication.

The following is a snippet from the /etc/pam.conf file displays the added sections that enable Kerberos authentication for rlogin, rsh and telnet:

# Kerberized rlogin service
#
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth required		pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth, 
# and pam_unix_auth for meaningful pam_setcred) 
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh	auth required		pam_unix_cred.so.1
krsh	auth required		pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth required		pam_krb5.so.1