Installing and Administering Internet Services

346 Chapter 11

Secure Internet Services

Overview of the Secure Environment and the Kerberos V5 Protocol

$ ftp hostA

$ Connected to hostA

$ Name:(hostA:david): susan

In this example, susan is the login user.

Both of the following requirements must be met for authorization to

succeed:

• The login user must have an entry in the /etc/passwd ﬁle on the

host where the application server is running.

• One of the following three conditions must be met:

•A$HOME/.k5login ﬁle must exist in the login user’s home

directory on the application server and contain an entry for the

authenticated user principal. This ﬁle must be owned by the login

user and only the login user can have write permission.

• An authorization name database ﬁle called /krb5/aname must

exist on the application server and contain a mapping of the user

principal to the login user.

• The user name in the user principal must be the same as the login

user name, and the client and server systems must be in the same

realm.

Forwarded/Forwardable Tickets

When a user obtains service ticket credentials, they are for a remote

system. However, the user might want to use a secure service to access a

remote system and then run a secure service from that remote system to

a second remote system. This would require possession of a valid TGT for

the ﬁrst remote system. However, running kinit on the ﬁrst remote

system to obtain a TGT would cause the user’s password to be

transmitted in a readable form over the network.

To avoid this problem, Kerberos provides the option to create TGTs with

special attributes allowing them to be forwarded to remote systems

within the realm.

The Secure Internet Services clients which offer TGT forwarding options

(-f, -F) are remsh, rlogin, and telnet. However, before these options

can be recognized, two prerequisite ﬂags must be enabled.