Configuring SSH to require SecurID

When setting up the SecurID product you must make some configuration changes to the sshd configuration files.

If you are using the Centrify openSSH product you must make some configuration changes to support token authentication. The Centrify openSSH is configured to attempt Kerberos single sign-on whenever a user logs in. This means that the user is not prompted for their user name or password. This capability must be disabled if you want to prompt users for token authentication.

To configure SSH to require a SecurID token:

  1. Edit the /etc/centrifydc/ssh/ssh_config file and comment out the lines for the following items:

    • GSSAPIAuthentication
    • GSSAPIKeyExchange
    • GSSAPIDelegateCredentials

    For example:

    # Configuration for Centrify DirectControl: Host *
    #GSSAPIAuthentication yes
    #GSSAPIKeyExchange yes
    #GSSAPIDelegateCredentials yes
  2. Edit the /etc/centrifydc/ssh/sshd_config file and comment out the lines for the following items:

    • GSSAPIKeyExchange
    • GSSAPIAuthentication
    • GSSAPICleanupCredentials
  3. In the /etc/centrifydc/ssh/sshd_config file, be sure that the PrintMotd and UsePam settings are set as followings:

    PrintMotd no
    UsePAM yes
  4. Restart sshd to ensure the changes take effect.