Installing and Administering Internet Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

331

332

333

334

335

336

337

338

339

340

Chapter 11 337

Secure Internet Services

Overview of the Secure Internet Services

Overview of the Secure Internet

Services

Network security concerns are becoming increasingly important to the

computer system user. The purpose of the Secure Internet Services is to

allow the user greater security when running these services.

When an Internet Services client connects to the server daemon, the

server daemon requests authentication. The Secure Internet Services

authenticate, or in other words validate, the identity of the client and

server to each other in a secure way. Also, with the Secure Internet

Services, users are authorized to access an account on a remote system

by the transmission of encrypted tickets rather than by using the

traditional password mechanism. The traditional password mechanism,

used with non-secure Internet Services, sends the password in a

readable form (unencrypted) over the network. This creates a security

risk from intruders who may be listening over the network.

The Secure Internet Services are meant as replacements for their

non-secure counterparts. The main beneﬁt of running the Secure

Internet Services is that user authorization no longer requires

transmitting a password in a readable form over the network.

Authorization is the process in which servers verify what access remote

users should have on the local system.

The Secure Internet Services may only be used in conjunction with

software products that provide a Kerberos V5 Network Authentication

Services environment (for example, the HP DCE Security Service or the

Praesidium/Security Service). The network authentication mechanism

ensures that the local and remote hosts are mutually identiﬁed to each

other in a secure and trusted manner and that the user is authorized to

access the remote account.

For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5

authentication involves sending encrypted tickets instead of a readable

password over the network to verify and identify the user. Although

rcp/remshd and remsh/remshd (used with a command) do not prompt

for a password, using these services with the Kerberos V5 authentication

provided when the Secure Internet Services mechanism enabled ensures

that the user is authorized to access the remote account. (If remsh is

used with no command speciﬁed, rlogin/rlogind is invoked.)