Manualshelf

Installing and Administering Internet Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
341342343344345346347348349350
Chapter 11 347
Secure Internet Services
Overview of the Secure Environment and the Kerberos V5 Protocol
First, the KDC’s forwardable ticket option must be enabled. For Kerberos
V5 KDCs, use the kadmin command. For the HP DCE Security Service
and the HP P/SS, use the dcecp command to set the forwardabletkt
account attribute.
Second, kinit must be invoked with the forwardable flag set (-f). If the
-f option is specified when kinit is run, the TGT for the local system
can be forwarded to the remote system. Then clients do not need to
re-authenticate themselves from the remote system to the KDC.
HP DCE clients can use dce_login -f to enable forwarding. However,
HP P/SS clients must use kinit -f to enable forwarding because the
dess_login utility does not have an option for ticket attributes.
Provided these two flags are enabled, the forwarding options of rlogin,
remsh, and telnet can take effect. For the remsh, rlogin, or telnet
client that invokes the -f option, the TGT is forwarded to only one
remote system (one free hop). For the remsh, rlogin, or telnet client
that invokes the -F option, it is possible to keep forwarding the TGT
(potentially n free hops).
Multiple free hops are possible because using the -F option leaves the
forwardable attribute enabled in the forwarded TGT ticket, whereas
using the -f option does not. So, the client can forward the TGT to an
unlimited number of remote systems if the -F option is used every time.
Once the -f option is used, the forwarding chain stops at the next node.
If the Kerberos V5 credentials are forwarded to a DCE client, they will be
promoted to DCE credentials. This will allow the user to run DCE
applications on the remote host. The k5dcelogin utility, which is
invoked by rlogind/remshd and telnetd on the remote host, converts
the Kerberos V5 credentials to DCE credentials without prompting for a
password. See the man page for k5dcelogin(8sec) for syntax
information.
API (Application Program Interface)
The Secure Internet Services mechanism for rcp/remshd,
remsh/remshd, rlogin/rlogind, and telnet/telnetd uses the
Kerberos V5 Release 1.0 API.
The Secure Internet Services mechanism for ftp/ftpd uses the
GSS-API (Generic Security Service Application Program Interface)
Version 1. The GSS-API separates application logic from a given security
mechanism.