Installing and Administering Internet Services
Chapter 11 357
Secure Internet Services
Configuration and Kerberos Version Interoperability Requirements
• The V5 Beta 4 configuration file, realms file, and keytab file must
exist, and the V5-1.0 configuration file and keytab file must exist, as
explained in “Beginning with HP-UX 11.0” on page 354.
•A$HOME/.k5login file must exist in each login user’s home
directory.
This file must be owned by the login user, and only the login user can
have write permission.
This file lists the user principals and their associated realm or cell
names that have access permission to the login user’s account. The
user principals are for the user that originally performed the kinit,
dce_login, or dess_login command. The term “login user” refers
to the user whose account is being accessed on the remote host. This
is not necessarily the same user who originally issued the kinit,
dce_login, or dess_login command.
Assume amy has already issued the kinit command. In this
example, amy enters the following:
$ rlogin hostA -l robert
In this example, robert is the login user, and amy must have an
entry in Robert’s $HOME/.k5login file on the application server
(hostA).
Alternatively, the client can use an authorization name database file
called /krb5/aname. An entry in this file will authorize a user
principal name to the specified login name. A tool for the
administration of an aname file is not provided by DCE or P/SS.
For the Secure Internet Services, login is allowed even without
entries in the login user’s $HOME/.k5login file or the aname
database, provided that the login user’s name matches the user
principal user’s name, and that the Kerberos realm of the client
matches the default realm of the application server.
• The login user must have an entry in the /etc/passwd file on the
application server.