| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
Secure Shell and the OpenSSH Project
Configuring Secure Shell (Tasks)
Configuring Secure Shell (Task Map)
How to Set Up Host-Based Authentication for Secure Shell
How to Configure Port Forwarding in Secure Shell
How to Create User and Host Exceptions to Secure Shell Defaults
How to Create an Isolated Directory for sftp Files
How to Generate a Public/Private Key Pair for Use With Secure Shell
How to Change the Passphrase for a Secure Shell Private Key
How to Log In to a Remote Host With Secure Shell
How to Reduce Password Prompts in Secure Shell
How to Remotely Administer ZFS With Secure Shell
How to Use Port Forwarding in Secure Shell
How to Copy Files With Secure Shell
How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
Secure Shell in Oracle Solaris is built on top of the Open Source toolkit, OpenSSL, which implements the Secure Sockets Layer and Transport Layer Security.
Two distinct versions of the toolkit are available in Oracle Solaris.
Version 1.0.0 is the default version that Secure Shell runs on.
Version 0.9.8 implements FIPS-140, a U.S. government computer security standard for cryptography modules.
To use Secure Shell in FIPS-140 (FIPS) mode, see Secure Shell and FIPS-140.
In Secure Shell, authentication is provided by the use of passwords, public keys, or both. All network traffic is encrypted. Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication. Secure Shell also prevents an adversary from spoofing the system.
Secure Shell can also be used as an on-demand virtual private network (VPN). A VPN can forward X Window system traffic or can connect individual port numbers between the local machines and remote machines over an encrypted network link.
With Secure Shell, you can perform these actions:
Log in to another host securely over an unsecured network.
Copy files securely between the two hosts.
Run commands securely on the remote host.
On the server side, Secure Shell supports Version 2 (v2) of the Secure Shell protocol. On the client side, in addition to v2, the client supports Version 1 (v1). For information about v1, see System Administration Guide: Security Services.
Secure Shell provides public key and password methods for authenticating the connection to the remote host. Public key authentication is a stronger authentication mechanism than password authentication, because the private key never travels over the network.
The authentication methods are tried in the following order. When the configuration does not satisfy an authentication method, the next method is tried.
GSS-API – Uses credentials for GSS-API mechanisms such as mech_krb5 (Kerberos V) and mech_dh (AUTH_DH) to authenticate clients and servers. For more information about GSS-API, see Introduction to GSS-API in Developer’s Guide to Oracle Solaris 11 Security.
Host-based authentication – Uses host keys and rhosts files. Uses the client's RSA and DSA public/private host keys to authenticate the client. Uses the rhosts files to authorize clients to users.
Public key authentication – Authenticates users with their RSA and DSA public/private keys.
Password authentication – Uses PAM to authenticate users. Keyboard authentication method in v2 allows for arbitrary prompting by PAM. For more information, see the SECURITY section in the sshd(1M) man page.
The following table shows the requirements for authenticating a user who is trying to log into a remote host. The user is on the local host, the client. The remote host, the server, is running the sshd daemon. The table shows the Secure Shell authentication methods, the compatible protocol versions, and the host requirements.
Table 15-1 Authentication Methods for Secure Shell
|
For a comprehensive discussion of Secure Shell on an Oracle Solaris system, see Secure Shell in the Enterprise, by Jason Reid, ISBN 0-13-142900-0, June 2003. The book is part of the Sun BluePrints Series published by Sun Microsystems Press.
|