Installing and Administering Internet Services
Chapter 11 367
Secure Internet Services
Using the Secure Internet Services
Using the Secure Internet Services
Some things you, as network or system administrator, should be aware
of, regarding how end users might use the Secure Internet Services, are
described in the paragraphs below.
Overview of the User’s Session
• Users must issue a kinit (for HP DCE clients, a dce_login, or for
HP P/SS clients, a dess_login) command so that they get a TGT
from the KDC (for example, kinit amy@realm1.com). The TGT
credentials received from the kinit (or dce_login or dess_login)
will typically be valid for a default lifetime. The kinit(1) man page
describes TGT lifetime and renewable options.
For more information, refer to the kinit(1), dce_login(1), and
dess_login(1) man pages.
• Once users have obtained a TGT, they can use the Secure Internet
Services throughout the time period that their TGT is valid. The
lifetime of a TGT is configurable and is typically eight hours.
The only visible difference when using the Internet Services with the
Secure Internet Services mechanism enabled is that users are not
prompted for a password. For information on Kerberos concepts, refer
to “Overview of the Secure Environment and the Kerberos V5
Protocol” on page 339 of this chapter.
The klist command is one of the Kerberos utilities users may want
to use during their secure session. This command will display their
accumulated credentials. For more information, refer to the klist(1)
man page.
• When users are finished for the day (or secure session), they should
issue the kdestroy command to remove the credentials they have
accumulated during their session. These credentials are not
automatically removed when they exit a shell or log out of their
session. So, we strongly recommended that they issue this command
so that any credentials they accumulated are not susceptible to
misuse from intruders. For more information refer to the
kdestroy(1) man page.