Installing and Administering Internet Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

341

342

343

344

345

346

347

348

349

350

Chapter 11 341

Secure Internet Services

Overview of the Secure Environment and the Kerberos V5 Protocol

• Application server (D in Figure 11-1): A Secure Internet Services

daemon (ftpd, remshd, rlogind, or telnetd).

• Security client runtime (B in Figure 11-1): A Kerberos command

(kinit, klist, or kdestroy).

Security clients communicate with the security server for authentication.

Note that none of the components of the Kerberos environment are

restricted to run on a speciﬁc type of system. This means that security

clients can run on the same node as the KDC, if you wish. For example,

the security server (KDC), security client runtime (kinit), the

application client (ftp), and application server (ftpd) could all be

running on the same physical system.

A Simpliﬁed Description of the Kerberos V5

Protocol

The following steps refer to the arrows in Figure 11-1.

1. Users must ﬁrst obtain credentials for themselves from a portion of

the KDC called the Authentication Service (AS). The AS is the

portion of the KDC that veriﬁes the authenticity of a principal. Users

must issue the kinit command which then calls the AS. HP DCE

users would generally use the dce_login command instead of the

kinit command, and HP P/SS users would use the dess_login

command.

2. Once the AS ﬁnds an entry for the user principal, it issues encrypted

credentials back to the client. The client will need these credentials to

successfully run the Secure Internet Services. The credentials consist

of a ticket, called the ticket granting ticket (TGT), and a

temporary encryption key, often called the session key. The session

key is a temporary encryption key used by the server to authenticate

the client. It is encrypted in the server’s key, and is typically valid for

a login session. The user must obtain a TGT before running the

Secure Internet Services.

All the user has to do up to this point is issue the kinit, dce_login,

or dess_login command. The TGT and session key are

automatically kept for the user in a temporary credentials cache ﬁle.

The user does not need to explicitly do anything with them. However,

at the end of the session, or when the credentials are no longer

needed, we recommend that the user destroy the credentials by using

a Kerberos utility called kdestroy.