Procedure 4.2. To configure an AIX IPA client for incoming SSH connections:

1. SSH syslog configuration:

   auth.info /var/log/sshd.log
   auth.info       /var/log/sshd.log
   auth.crit       /var/log/sshd.log
   auth.warn       /var/log/sshd.log
   auth.notice     /var/log/sshd.log
   auth.err        /var/log/sshd.log
   

2. SSH logging configuration:

   SyslogFacility AUTH
   LogLevel INFO
   

3. Configure sshd for GSSAPI (/etc/ssh/sshd_config)

   # Kerberos options
   KerberosAuthentication yes
   #KerberosOrLocalPasswd yes
   #KerberosTicketCleanup yes
   #KerberosGetAFSToken no
   # GSSAPI options
   GSSAPIAuthentication yes
   #GSSAPICleanupCredentials yes
   UsePAM yes
   

4. Restart sshd

   # stopsrc -s sshd
   # startsrc -s sshd
   

5. Restart syslogd

   # stopsrc -s syslogd
   # startsrc -s syslogd
   

6. The ipa-admintools package is not available for AIX. Consequently, you need to perform the following steps on the IPA server.

   1. Add a host service principal for the client.

      # ipa-addservice host/ipaclient.example.com

   2. Retrieve the host keytab.

      # ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc

   3. Copy the keytab from the server to the client.

      # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab

7. On the IPA client, use the ktutil command to import the contents into the main host keytab.

   # ktutil
   ktutil: read_kt /tmp/krb5.keytab
   ktutil: write_kt /etc/krb5/krb5.keytab
   ktutil: q
   

8. Add a user that is only used for authentication. (This can be substituted with krb5 auth if that works from the ldap client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user.

   dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
   objectClass: account
   objectClass: simplesecurityobject
   objectClass: top
   uid: nss
   userPassword: Your own shared password here
   

9. On the IPA server, get a ticket for the admin user.

   # kinit admin