Using the Secure TCP (Kerberized) utilities
This release includes Secure TCP versions
(providing Kerberos Version 5 authentication) of the following
client utilities and server daemons:
--------------------------------------------------------------- Client utilities Server daemon --------------------------------------------------------------- ftp(TC) ftpd(ADMN) rcmd(TC) and rcp(TC) rshd(ADMN) rlogin(TC) rlogind(ADMN) telnet(TC) telnetd(ADMN)You can use these utilities and daemons in a Kerberos Version 5 realm or DCE cell to provide authenticated TCP/IP services as described below.
To use these utilities with Kerberos Version 5 authentication, you must first define the users (interactive principals) and host systems (machine principals) on the Security Server(s) for the Kerberos realm or DCE cell where they are to operate:
Interactive principals may be added directly to the /.:/sec/principal hierarchy. Create passwords in the account properties of all new principals.
Before a user can use the Secure TCP utilities, they must obtain Kerberos session credentials. Because the current versions of login(M) and scologin(XC) do not support Kerberos authenticated login, there are two alternative methods by which a user may obtain these credentials:
Log in locally using unauthenticated login and then obtain session credentials using kinit(TC). The kinit command will authenticate the user's session with the Security Server and obtain a Ticket Granting Ticket for the user's session provided the user can supply the correct password for their interactive principal name. To monitor their credentials, the user must run the ksession(TC) command which will warn when the credentials are about to expire. The user can also use the klist(TC) command to view their credentials and their expiry date.
To avoid the possibility that passwords can be transmitted in clear text, root can use the ktadd(ADMN) command to create user keys on the various machines that different users are allowed to access. Alternatively a user can use ktadd to create a user key on each of the machines that they need to use.
For example, to obtain a user key for the interactive principal
chuck with password ``clydenw''
for the cell local_cell, enter the following commands:
ktadd -p chuck@local_cell -pw clydenw -f ~chuck/.v5srvtab
chmod 600 ~chuck/.v5srvtab
This creates a private key table .v5srvtab for chuck in their home directory and changes its permissions so only chuck and root can read from or write to this file. (Note that this example assumes that the shell being used is either ksh or csh.)
To use their private key table when obtaining session credentials, the
user calls kinit from their .profile or
.login file. This example also shows ksession
being run to monitor chuck's credentials:
kinit -k -t ~chuck/.v5srvtab
ksession
For more information about using the SCO Security Services, see the SCO Security Services Release and Installation Notes. For more information about using the SCO DCE Executive, see the SCO DCE Executive Release and Installation Notes.