HP HP-UX Kerberos Data Security Product Guide

Configuration Guide for Kerberos Client

Products on HP-UX

HP-UX 11.0, HP-UX 11i v1, HP-UX 11i v2, and HP-UX

11i v3

Manufacturing Part Number: 5991-7718

February 2007

Legal Notices



Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent wit h FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commerc ial Ite m s are licen se d to the U.S. Govern m e nt under vendor’s standa rd commerc ial license.

The information contained herein is subject to change without notice. The only warranti es for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein shall be construed as constituting an additional warranty. HP shall not be liable for technic al or edito r ial erro r s or omissions co ntained here in.

UNIX is a registered trademark of The Open Group.

OSF/Motif is a trademark of the Open Software Foundation, Inc. in the

U.S. and other countries.

MS-DOS and Microsoft are U.S. registered trademarks of Microsoft

Corporation.



California This software is based in part on the Fourth Berkeley Software

Distribution under lice nse f rom the Regents of the Univer sit y of California.



1. Overview

Kerberos Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Kerberos Products and GSS-API on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2. Introduction to the Kerberos Products and GSS-API

PAM Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

The PAM Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

The Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

The Password Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Credential Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

The Account Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

The Session Management Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

The pam_user.conf File on HP-UX 11.0 and 11i v1. . . . . . . . . . . . . . . . . . . . . . . . . 47

The pam_user.conf File on HP-UX 11i v2 and HP-UX 11i v3. . . . . . . . . . . . . . . . . 47

The pam.c onf File on HP-UX 11.0 a nd HP-UX 11i v1 . . . . . . . . . . . . . . . . . . . . . . 47

The pam.conf File on HP-UX 11i v2 and HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . . 48

The pam_krb5 File on HP-UX 11.0 and HP-UX 11i v1. . . . . . . . . . . . . . . . . . . . . . 48

The pam_krb5 File on HP-U X 11i v2 and HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . 48

The pamkrbval Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Secure Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

KRB5 Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Libraries and Header Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Kerberos Ut ilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

The kinit Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

The klist Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

The kdestroy Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

The kpasswd Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

The ktutil Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

The kvno Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

HP Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Kerberos Server Version 3.12 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Graphical User Interface (GUI) Based Administration tool . . . . . . . . . . . . . . . . . . 65

Multithreaded Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Dynamic Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Contents

Windows 2000(R) Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Choice of C-Tree or LDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Auto-Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Gener ic S e curity S e rvice App licati on Progra m ming Interface (GSS -API) . . . . . . . . . . 68

Credential Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Context Level Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Confidentiality Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Support Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

3. Configuring the Kerberos Environment

Configuration Files for Kerberos Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

The services File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuration Files for GSS-API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

The mech File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

The /etc/gss/qop File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

The gsscred.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Your Microsoft Windows 2000 KDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring the Kerberos Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring for PAM Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

4. Troubleshooting Kerberos Related Products

Troubleshooting PAM Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Troubleshooting the Kerberos C lient U tilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Troubleshooting GSS-API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Major and Minor Status Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Common GSS-API Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Calling Error Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Other Common Causes of Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Troubleshooting Using the pamkrbval Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

A. Sample pam.conf File

B. Sample krb5.conf File

C. Sample krb.conf File

D. Sample krb.realms File

E. Kerberos Error Messages

Kerberos V5 Library Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Kerberos V5 Magic Numbers Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

ANSI.1 Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 32

GSSAPI Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

F. Kerberos Client Environment Variables

Kerberos Client Environment Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Contents

Figures

Figure 1-1. Authentication Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Figure 2-1. HP-UX authentication modules under PAM. . . . . . . . . . . . . . . . . . . . . . .34

Figure 2-2. PAM Kerberos calls libkrb5.sl through PAM . . . . . . . . . . . . . . . . . . . . . .35

Figure 2-3. SIS uses Kerberos Client Library Directly . . . . . . . . . . . . . . . . . . . . . . . .52

Figure 2-4. GSS-API Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Figure 2-5. GSS-API Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Figures

Tables

Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Table 2-1. PAM Kerberos Library libpam_krb5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Table 2-2. On HP-UX 11.0 and HP-UX 11i v1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Table 2-3. On HP-UX 11i v2 and HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Table 2-4. On HP-UX 11.0 and 11iv1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Table 2-5. On HP-UX 11i v2 and HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Table 2-6. Kerberos Client Libraries on HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . . . . .55

Table 2-7. Versions of Kerberos Server on HP-UX Operating Systems . . . . . . . . . . .64

Table 2-8. GSS-API Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Table 2-9. Additional files in the GSS-API product . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Table 3-1. Kerberos Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Table 3-2. Entries in the mech file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Table 3-3. Format of the /etc/gss/qop file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Table 4-1. Error Codes and Corrective Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Table 4-2. Kerberos Client Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Table 4-3. Common GSS-API Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Table 4-4. Calling Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Table 4-5. Supplementary Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Table 4-6. Error Messages that Appear During keytab Validation. . . . . . . . . . . . . .100

Tables

About This D ocument

This docum en t d es cr ibe s ho w to conf igure a Kerbe ros e nvironmen t on HP-UX servers and workstations running on HP-UX 11.0, HP-UX 11i v1, HP-UX 11i v2, and HP-UX servers running on HP-UX 11i v3.

This documen t is inte n d ed fo r sys te m man age r s or administrators who configure Kerberos related products on HP-UX. However, this document is not a replacement for the documents provided for HP’ s Kerberos Server ve rsion 3.12.

Publishing History

Table 1 describes the publishing details of this document for various HP-UX re l e ases.

Table 1 Publishing History Details

Document

Manufac turing P art

Number

J5849-90003 HP-UX 11.X December 2000 J5849-90007 HP-UX 11.X September 2001 T1417-90005 HP-UX 11.X June 2002 T1417-90006 HP-UX 11.X July 2003 5991-7718 HP-UX 11.X February 2007

The latest versio n of th is doc ume nt is available at: http://www.docs.hp.com.

The document printing date and part number indicate the document’s correct edition . The pr int ing d ate will ch ang e wh e n a new e ditio n is printed. Mino r change s m ay be made at rep rin t with o ut cha ngi ng the printing date. The doc um ent part numbe r will change when extens ive changes ar e mad e.

Document updates can be issued betwe e n ed itions to correct errors or document product changes. To ensure that you receive the updated or new edition, subs cr ibe to the app r opr iate sup p o rt servic e.

Operating

Systems

Supported

Publication Date

Contact your HP sales representative for details.

Document Organization

The Configuration Guide for Kerberos Related Products on HP-UX is organized as follow s:

Chapter 1 Chapter 1, Overview, – Provides an insight to the

Kerberos protocol.

Chapter 2 Chapter 2, Introduction to the Kerberos Products and

GSS-API, – Provides information about the different Kerberos products available on HP-UX.

Chapter 3 Chapter 3, Configuring the Kerberos Environment, –

Provides inst ructions for conf iguri ng a Kerberos environment.

Chapter 4 Chapter 4, Troub leshooting Kerber os Related Pr oducts ,

– Provides infor matio n to help you identi fy and troubleshoot some common pro blems th at might occur.

Appendix A Appendix A, Sample pam.conf File, – Provides a sample

pam.conf file.

Appendix B Appendix B, Sample krb5.con f File, – Provides a

sample krb5.conf file.

Appendix C Appendix C, Sample krb.conf File, – Provides a sampl e

krb.conf file.

Appendix D Appendix D, Sample krb.realms File, – Provides a

sample krb.realms file.

Appendix E Appendix E, Kerberos Error Message s, – Provides some

common Kerb er os e rr or mes sag es wit h thei r re spe cti ve error co d e s.

Appendix F Appendix F, Kerberos Client Environment Variables,--

Provides a l ist of common Kerberos Cl ient envir onment variables.

Typographic Conventions

This document uses the following typographic conventions: audit (5) An HP-UX manpage. In this example, audit is the

name and 5 is the section in the HP-UX Reference. On the Web and on the Instant Information CD, it may be

a link to the manpage itself. From the HP-UX comma nd line, yo u can enter “man audit” or “man 5

audit” to view the manpage. See man (1).

Book Title The title of a book. On the Web and on the Instant

Information CD, it may be a link to the book itself.

KeyCap The name of a keyboard key. Note that Return and Enter

both refer to the same key. Emphasis Text that is e mphasiz e d. Bold The defined use of an important word or phrase. ComputerOut Text displayed by the co mp uter. UserInput Comman d s and ot he r text that you type. Command A command name or qualified command phrase. Variable The na me of a variable th at you m ay replace in a

command o r func tio n o r information in a display th at

represents several possi ble valu es. | Separates item s in a list of choices. [] The contents are optional in formats and command

descriptions. If the contents are a list separated by |,

you can choose one of the items.

{} The contents are required in formats and command

descriptions. If the contents are a list separated by |,

you can choose one of the items. ... The preceding element may be repeated an arbitrary

number of times.

1 Overview

This chapter provides an overview of Kerberos and the available Kerberos products on HP-UX.

Chapter 1 21

Overview

It contains the following sections:

•“Kerberos Overview” on page 23

•“Authenticatio n Proces s” on page 24

•“Kerberos Products and GSS-API on HP-UX” on pa g e 28

Chapter 122

Overview

Kerberos Overview

Kerberos is a mature network authentication protocol based on the RFC 1510 specificatio n o f the IETF. It is designed to provide strong

auth enti ca t ion fo r client or s erver applications b y using t he sh a red secret-key cryptogra phy.

The basic currency of Kerberos is the ticket, which the user presents in order to use a specific ser vic e. Each service, be it a login se rv ice or an FTP service, requires a different kind of ticket. Fortunately, the Kerberized ap plications keep track of all the var ious ki nd s o f tickets, so you don’t have to.

You must authentic ate yourself to the server by p rovid in g yo u r use r name and password. In retu rn , the Kerberos server gives you an init ial ticket, whic h you use to request for additi onal tic kets from the Kerberos server for all the othe r serv ices. For this reason, the init ial tick e t is also often ca ll e d th e T i ck et Granti ng Ticket ( TGT).

Use the Kerberos protocol to secure the communication between the client and server. Thus, c lient programs make authentica tion requ ests to an authentication server, and server programs in turn service those client requests. Based on your user credentials, the server program grants or denies your request to access network applications and services . The Kerber os server allow s entities to authen ticat e themselves , without having to transmit their passwords in clear text form over the network.

Chapter 1 23

Overview

Authentication Process

Authentication Pro ce ss

The Kerberos server grants tickets to your user principal to access secured netwo r k ser vices. You m ust authentica te yourself to the serve r by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session key.

The Kerberos serv er gra nts a ser vice t ic ket f or a spe cific servi ce prin cipal that can be associated with one or more Kerberos-secured services. A client application uses your service ticket to authenticate you to a Kerberos-secured network service. The secured client application automatically handles the transa ctions with t he Kerber os Serv er an d the secured applica tion server. Service ticke ts a nd asso cia te d s e ss ion keys are generally cached in your user credentials cache along with the TGT of the user.

Chapter 124

Figure 1-1 illustra te s the acti on s of th e compo nents and the Kerbe r os protocol in a secured environment.

Figure 1-1 Authentication Process

Overview

Authentication Process

The following is a des cr iptio n o f how a client and se rv er auth e ntic ate each other using Kerberos:

Step 1. Send a reque s t to th e AS fo r a TGT. You can choose to request spec if ic

ticket flags and spec if y the ke y ty pe to be us ed to co ns tru ct th e secre t key. You can also ac ce p t the default values configure d for t he client.

Send the following information to the Au the n tica tio n Se rv ice (A S) to obtain credentials :

• Client-indicates the user nam e, also refe rre d to as the prin cipal

name

• Server-indicates the TGS

Chapter 1 25

Overview

Authentication Process

• Time stamp

• Nonce

Step 2. If the AS decrypts the message successfully, it authenticates the

requesting user and issues a TGT. The TGT contains the user name, a session key fo r your use, and nam e of the se rv er to be used for a ny subsequent communication. The reply message is encrypted using your secret key.

NOTE The AS decrypts the request only when the pre-authentication option is

set in the AS reques t. If the pre- auth e ntic atio n option is not set, the AS issues the TGT if the principal is available in the Kerberos database.

Step 3. The clie nt de crypts the message using your sec ret k ey. The TGT and the

session key from the me ssage are stored in the client’s credent ia l cache. These credentials are used to obtain tickets for each network service the principal wan ts to acces s.

The Kerberos protocol exchange has the following important features:

• The authentic ation sc he m e does no t requ ire that the passwo r d be

sent across the network, either in encrypted form or in clear text.

• The client (or any other user) cannot view or modify the contents of

the TGT.

Step 4. To obtai n access to a secured ne t w o r k s e rvice su ch a s rlogin, rsh, rcp,

ftp, or telnet, the requestin g client application uses the previo u sly

obtained TGT in a dialogue wit h the TGS to obtain a servi ce t ic ket. The protocol is the same as used while obtaining the TGT, except that the messages contain the name of the server and a copy of the previously obtained TGT.

Step 5. The TGS returns a new service ticket that the applicati on clien t can us e

to authenticate to the service. The service ticket is encrypted with the service key shared between the KDC and the application server.

Step 6. The application server authenticat es the cl i en t usi n g the serv i ce key

present in the keytab file. It decrypts the service ticket using the service key and extracts th e session key. Us ing the session key, the server decrypts the authenticator and verifies the identity of the user. It also

Chapter 126

Overview

Authentication Process

verifies tha t t he u s er’s service ticket has not exp ir ed. If the user doe s not have a valid service ticket, th e n the se rv er will return an appropriat e error cod e to the cli ent.

Step 7. (Optional) At the client’s request, the application server can also return

the timestam p sen t by the client, en cryp te d in the se ssion key. This ensures a mutual authentication between the client and the server.

Chapter 1 27

Overview

Kerberos Products and GSS-API on HP-UX

HP-UX supports Kerberos pro ducts wit h a set of three s oftware packa ges and Generic Security Service Application Programming Interface (GSS-API) for HP-UX 11.0 onwards. These products are:

• P AM Kerberos (PAM-Kerberos)

• Kerberos Client Software

• Kerberos Server

• GSS-API

Application p rogrammers can cre a te “Kerberized” applicatio ns using either the GSS-APIs or the Kerberos APIs. However, HP recommends that GSS-APIs be used for application development. HP provides the following Kerberized applications through Secure Internet Services (SIS): ftp, rcp, remsh, rlogin, and telnet.

NOTE SIS is available on HP-UX 11.0 and HP-UX 11i v1 only. From HP-UX 11i

v2 onwards, all these applications directly link to libkrb5.

The HP-UX Kerberos-related product s and GSS-API are:

• PAM Kerberos (PAM-Kerberos): is the Kerberos implementation

of the PAM Framewor k based on the RFC 86.0 of Open Group. PAM allows multiple authentication technologies to co-exist on HP-UX.

• Kerberos Client Software: includes libraries, header files and

utilities for imple m en tin g Ke r be rized client/ server applications in either 32-bit or 64-bit develo pment environment.

The client libraries are based on MIT Kerberos V5 1.1.1 release. The KRB5-Client libr a ries su p por t DES e nc ry ptio n as sp ecifie d in RF C 1510 of the IETF.

Chapter 128

Overview

Kerberos Products and GSS-API on HP-UX

NOTE On HP-UX 11i v3, the KRB5-Client libraries are based on MIT

Kerberos V5 1.3.5 release. These KRB5-Client libraries support the DES, AES, 3DES and RC4 encryption types.

The Kerberos C lient utilities are as follows :

— kinit, klist, and kdestroy to manage credentials — kpasswd to change Kerberos passwords — ktutil to maintain keytab file — kvno to display the Kerberos key version number of the

principals.

• Kerberos Server Version 3.12: The current version of the

Kerberos server supersedes the earlier MIT-based Kerberos server (version 1.0), on HP-UX 11i.

The Kerberos Server is based on a distributed cl ie nt-s erv er architecture. It ensures secure communication in a networked environment by leveraging individual trust relationships. It then brokers that trust ac ross ente r p ris e-w ide, distributed client-serve r networks.

• GSS-API: is an interface that provides a secure client- server

application programming. The GSS-API also provides authenticati on , inte gri ty, and confidentiality services to the cal ling applications.

• SIS: is the built- i n suppo rt f o r s e cure Inte r n e t s e rvices su ch a s ftp,

rcp, rlogin, telnet and remsh utilities. When secure Internet

services are enabled, these commands use Kerberos for authenticati on without sending pa sswords in clear tex t ov er the network.

Chapter 1 29

Overview

Kerberos Products and GSS-API on HP-UX

Chapter 130

+ 110 hidden pages