Previous Topic: Installation Considerations for 64-bit Linux HostsNext Topic: Installation Considerations for Linux s390 Endpoints


SSH PAM Configurations

Before you install UNAB verify that the operating system supports the following SSH server and statements required to enable PAM configurations.

Note: The SSH configuration file location may vary according to specific customer installation.

SSH Server and PAM configuration for AIX

The SSH server configuration files is located in the following directory:

/etc/ssh/

To use OpenSSH 3.6 or lower, modify the following entry in /etc/ssh/sshd_config:

PAM_AthenticationViaKbdint yes

To use OpenSSH 3.7 and above modify the following entries in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
UsePAM yes

Example: pam.conf entries for OpenSSH on AIX

The following example is a snippet from the pam.conf that contains the relevant entries to support OpenSSH server on AIX:

# Entries for OpenSSH 
sshd auth optional	/usr/lib/security/pam_seos.o
sshd auth optional	/usr/lib/security/pam_aix
sshd auth sufficient	/usr/lib/security/pam_uxauth.o
sshd auth required	/usr/lib/security/pam_aix try_first_pass
sshd account sufficient	/usr/lib/security/pam_uxauth.o
sshd account requisite 	/usr/lib/security/pam_uxauth.o
sshd account required 	pam_aix
sshd password sufficient	/usr/lib/security/pam_seos.o
sshd password sufficient	/usr/lib/security/pam_uxauth.o
sshd password required	pam_aix
sshd session sufficient	/usr/lib/security/pam_uxauth.o  create_homedir
sshd session required	pam_aix

The Tectia SSH Server 4.x configurations file sshd2_config is located in the following file:directory

/etc/ssh2/

To use the Tectia Server 4.x modify the following entries in /etc/ssh2/ssh2d_config:

AllowedAuthentications ,publickey,keyboard-interactive,password
AuthKbdint.Optional pam

Example: pam.conf entries for Tectia SSH Server 4.x on AIX:

The following example is a snippet from the pam.conf that contains the relevant entries to support Tectia SSH server 4.x on AIX:

# Entries for tectia (sshd2)
sshd2 auth optional	/usr/lib/security/pam_seos.o
sshd2 auth optional	/usr/lib/security/pam_aix
sshd2 auth sufficient	/usr/lib/security/pam_uxauth.o
sshd2 auth required	/usr/lib/security/pam_aix try_first_pass
sshd2 account sufficient	/usr/lib/security/pam_uxauth.o
sshd2 account requisite 	/usr/lib/security/pam_uxauth.o
sshd2 account required 	pam_aix
sshd2 password sufficient	/usr/lib/security/pam_seos.o
sshd2 password sufficient	/usr/lib/security/pam_uxauth.o
sshd2 password required	pam_aix
sshd2 session sufficient	/usr/lib/security/pam_uxauth.o  create_homedir
sshd2 session required	pam_aix

The Tectia SSH Server 6.x SSH configurations file sshd-server-config.xml is located in the following directory:

/etc/ssh2/

To use the Tectia SSH Server 6.x modify the following in the /etc/ssh2/ssh-server-config.xml file:

<settings windows-logon-type="interactive" pam-account-checking-only="yes" />
….
<pluggable-authentication-modules service-name="ssh-server-g3" pam-calls-with-commands="no" />
….
<authentication name="authentication" action="allow">
…
<auth-publickey />
<auth-password />
<auth-keyboard-interactive >
	<submethod-pam />
</auth-keyboard-interactive>
</authentication>
</authentication-methods>

Example: pam.conf entries for Tectia SSH Server 6.x on AIX:

The following example is a snippet from the pam.conf that contains the relevant entries to support Tectia SSH server 6.x on AIX:

# Entries for Tectia (Tectia 6.x)
ssh-server-g3 auth optional	/usr/lib/security/pam_seos.o
ssh-server-g3 auth optional	/usr/lib/security/pam_aix
ssh-server-g3 auth sufficient	/usr/lib/security/pam_uxauth.o
ssh-server-g3 auth required	/usr/lib/security/pam_aix try_first_pass
ssh-server-g3 account sufficient	/usr/lib/security/pam_uxauth.o
ssh-server-g3 account requisite	/usr/lib/security/pam_uxauth.o
ssh-server-g3 account required	pam_aix
ssh-server-g3 password sufficient	/usr/lib/security/pam_seos.o
ssh-server-g3 password sufficient	/usr/lib/security/pam_uxauth.o
ssh-server-g3 password required	pam_aix
ssh-server-g3 session sufficient	/usr/lib/security/pam_uxauth.o  create_homedir
ssh-server-g3 session required	pam_aix

SSH Server and PAM configuration for Solaris

The SSH server configuration file sshd_config is located in on the following directories:

/usr/local/etc/ssh/
/etc/ssh

To use Open SSH 3.9 and above modify the following in the sshd_config file:

ChallengeResponseAuthentication yes
UsePAM yes
UsePrivilegeSeparation no

To use SunSSH 1.1 and SunSSH 1.1.3 modify the following in the sshd_config file:

PAMAuthenticationViaKBDInt yes

To use SunSSH 1.1.1 modify the following in the sshd_config file:

ChallengeResponseAuthentication yes
UsePAM yes

SSH Server and PAM configuration for Linux

The Tectia SSH Server 6.x configuration file ssh-server-config.xml is located in the following directory:

/etc/ssh2/

Modify the following entries in the configuration file:

<settings windows-logon-type="interactive" pam-account-checking-only="yes" />
<auth-keyboard-interactive>
	<submethod-pam />
</auth-keyboard-interactive>

Modify the following in the /etc/pam.d/ssh-server-g3 file:

auth      include    system-auth
account   required   pam_nologin.so
account   include    system-auth
password  include    system-auth
session   optional   pam_keyinit.so force revoke
session   include    system-auth
session   required   pam_loginuid.so