Using the Secure TCP (Kerberized) utilities

This release includes Secure TCP versions







(providing Kerberos Version 5 authentication) of the following client utilities and server daemons:

 ---------------------------------------------------------------
 Client utilities           Server daemon
 ---------------------------------------------------------------
 ftp(TC)                    ftpd(ADMN)
 rcmd(TC) and rcp(TC)       rshd(ADMN)
 rlogin(TC)                 rlogind(ADMN)
 telnet(TC)                 telnetd(ADMN)

Configuring the Secure TCP utilities

To use these utilities with Kerberos Version 5 authentication, you must first define the users (interactive principals) and host systems (machine principals) on the Security Server(s) for the Kerberos realm or DCE cell where they are to operate:

1. If you are using SCO Security Services, the cell administrator (authentication principal) must use the SCO Distributed Administration Service Security Manager or rgy_edit to add a registry object
   for each interactive and machine principal to /.:/sec/principal in the local cell. See the secadmin(ADMD) and rgy_edit(8sec) manual pages for more information.
   
   Machine principals must be added to the host subhierarchy. For example, the machine principal corresponding to the host foo in the domain bar.com would be:
   
   /.:/sec/principal/host/foo.bar.com

   
   Interactive principals may be added directly to the /.:/sec/principal hierarchy. Create passwords in the account properties of all new principals.

2. On each host where Secure TCP utilities or daemons are to be run, log in as root and run the auth.config(ADMN) command.

3. Use auth.config to
   
   
   
   define the DCE cell (or Kerberos realm) and fully qualified domain name of the Security Server that will be used to authenticate service requests. When asked for a host password for Secure TCP services, you can select a machine-generated password as you do not need to remember this password.
   

4. Use auth.config to choose the level of authentication required for access to the ftpd, rshd, rlogind and telnetd daemons. You can select to make authentication optional if some users require traditional unauthenticated access.

5. If users are required to use authenticated access, the access control
   
   file, .k5login (see k5login(SFF)), must exist in their home directories on the machine where the server daemon is running. This file contains the names and cells of principals that can access an account. For example, the entry ``chuck@local_cell'' specifies that the principal chuck in the cell (or realm) local_cell has access. Only the owner must have write permission on .k5login, and the owner must either be root or the user associated with the home directory.

Obtaining Kerberos session credentials

Before a user can use the Secure TCP utilities, they must obtain Kerberos session credentials. Because the current versions of login(M) and scologin(XC) do not support Kerberos authenticated login, there are two alternative methods by which a user may obtain these credentials:

• using kinit

• using ktadd and kinit

Obtaining session credentials using kinit

Log in locally using unauthenticated login and then obtain session credentials using
kinit(TC). The kinit command will authenticate the user's session with the Security Server and obtain a Ticket Granting Ticket for the user's session provided the user can supply the correct password for their interactive principal name. To monitor their credentials, the user must run the
ksession(TC) command which will warn when the credentials are about to expire. The user can also use the
klist(TC) command to view their credentials and their expiry date.

Obtaining session credentials using ktadd and kinit

To avoid the possibility that passwords can be transmitted in clear text, root can use the
ktadd(ADMN) command to create user keys on the various machines that different users are allowed to access. Alternatively a user can use ktadd to create a user key on each of the machines that they need to use.

For example, to obtain a user key for the interactive principal chuck with password ``clydenw'' for the cell local_cell, enter the following commands:

ktadd -p chuck@local_cell -pw clydenw -f ~chuck/.v5srvtab
chmod 600 ~chuck/.v5srvtab

This creates a private key table .v5srvtab


for chuck in their home directory and changes its permissions so only chuck and root can read from or write to this file. (Note that this example assumes that the shell being used is either ksh or csh.)

To use their private key table when obtaining session credentials, the user calls kinit from their .profile or .login file. This example also shows ksession being run to monitor chuck's credentials:

kinit -k -t ~chuck/.v5srvtab
ksession

For more information about using the SCO Security Services, see the SCO Security Services Release and Installation Notes. For more information about using the SCO DCE Executive, see the SCO DCE Executive Release and Installation Notes.

Home Notes Home MCSE MCSE MCITP + Security CCNA MCITP 2008  Boot Camp Schedule Register Frequently Asked Questions Course Fees Contact US Boot Camp Location Compare us to our competitors Testimonials Sitemap

Testimonials

Join MCSE MCITP Boot Camp & CCNA Boot Camp Back to Back Certification Today. links  270  290    291  293    294  298  299   Security  640-801  routing 811  821   831  Resources MCSE MCITP + CCNA  Training  Card pay  Papal  MCSE MCITP Notes  CCNA Notes    index main   root   link  resources home    Ref1 Ref2

Vibrant offers MCSE certification training boot camp for $5400 all inclusive, instructor led at California and Baltimore.

Vibrant Bootcamp Participants come from All Around the World. Vibrant has trained students from more than 15 countries like USA, UK, (Scotland, Ireland, Wales), Switzerland, Germany, Australia, Canada, France, Holland, Japan, Belgium, Bahrain, New Zealand, Tanzania, Turkey, Kenya and more.