Installing and Administering Internet Services

Chapter 11 345

Secure Internet Services

Overview of the Secure Environment and the Kerberos V5 Protocol

• Kerberos: susan@MYREALM.COM

• HP DCE: /.../my_kdc_cell/susan

• HP P/SS: /.../my_domain/susan

Service Principal Names. A service principal name is a principal

name that authorizes an application server to use a particular service.

For ftp, the service principal name is ftp (as a ﬁrst choice) or host (as

an acceptable second choice. Note that the actual name is host; it is not

meant to be replaced by a host name.)

For rcp, remsh, rlogin, and telnet, the service principal name is

host.

Some examples of service principal names for telnetd are the following:

• Kerberos: host/abc.com@REALM_A.COM.

In this example, the system is abc.com, and the realm is

REALM_A.COM.

• HP DCE: /.../cell_a.com/host/abc.com

This example uses cell_a.com instead of REALM_A.COM (as used in

the ﬁrst example).

• HP P/SS: /.../domain_a.com/host/abc.com

This example uses domain_a.com instead of REALM_A.COM (as used

in the ﬁrst example).

Authorization

Authorization is the process in which users verify that they can access a

remote account on a speciﬁed server. Authorization depends on

successful user principal validation through the Kerberos V5

authentication protocol described earlier in this section.

For authorization to succeed, a mapping must exist at the application

server authorizing the user principal to operate as the login user. The

term “login user” refers to the user whose account is being accessed on

the remote host. This is not necessarily the same user who originally

issued the kinit, dce_login, or dess_login command.

Assume david has already issued the kinit command. In this example,

david enters the following: