Installing and Administering Internet Services
368 Chapter 11
Secure Internet Services
Using the Secure Internet Services
Bypassing and Enforcing Kerberos
Authentication
Depending on how certain options are used with these services, the
Secure Internet Services clients will still be able to access non-secure
remote hosts, and the daemons will still be able to accept requests from
non-secure clients.
To access a non-secure remote system on the network, users can use the
-P option when issuing the client command to bypass Kerberos
authentication. However, if accessing the host requires a password, then
the password will be sent in a readable form over the network.
To prevent remote users from gaining access in a non-secure manner,
administrators can enforce Kerberos authentication. For ftpd and
telnetd, to prevent access from non-secure clients these daemons
should be invoked with the -A option. For remshd and rlogind, to
prevent access from non-secure clients the entries for shell and login
in the /etc/inetd.conf file should be commented out. If these steps
have been taken, the client cannot use the -P option to bypass
authentication.
CAUTION If the shell line is commented out, the rdist command will no longer
work.
Other Comments on Using the Secure Internet
Services
• There is no change to the way in which anonymous users are handled
when using ftp with the Secure Internet Services mechanism
enabled. However, in secure environments, it serves no purpose to
authenticate or authorize an anonymous user. An anonymous user
does not have a password to protect, and any data accessible through
an ftp account has been made publicly available. Therefore, it does
not make sense to add an anonymous user to the KDC’s database. To
access a secure system anonymously, use the -P option ftp provides.
This approach requires that ftpd was not invoked with the -A option
on the remote host.
• When the Secure Internet Services mechanism is enabled, rlogin,
remsh, and rcp are affected as follows: