HP UX Kerberos Data Security Software Secure Internet Services (SIS), Common Internet File System (CIFS), Secure Shell, ftp, rcp, telnet, rlogin/rsh

different authentication technologies, including Kerberos. HP recommends using GSS-API in application programs wherever possible.

Secure Internet Services (SIS)

HP-UX provides built-in support in a secure environment for Secure Kerberized Internet services such as ftp, rcp, rlogin, telnet, and remsh. Kerberized applications can have their behavior modified in the /etc/krb5.conf file. These applications use the Kerberos ticket instead of a password to authenticate the user to the remote machine.

ftp

To use the Kerberos ftp program, run it as you would normally run ftp. When you enter ftp <hostname>, you will still be prompted for your username. Press Enter. You will be logged in automatically. You should not be prompted for a password when trying to connect. If you are, do not type your password. Any password you type will not be encrypted and will go over the network in clear text.

rcp

You can use Kerberized rcp to transfer files securely between systems using Kerberos authentication. Kerberized rcp does not prompt for passwords. You must already have a valid TGT before using

rcp.

rlogin/rsh

The Kerberos rlogin and rsh clients behave almost the same way as their non-Kerberized equivalents. Because of this, it is recommended that—if they must be included in the network—files such as /etc/hosts.equiv and .rhosts in the root user’s directory be removed. The Kerberized versions have the added benefit of using Kerberos protocol for authentication. They can also use Kerberos for password encryption.

telnet

The Kerberos telnet client has many command line arguments that control its behavior; refer to the manpage, telnet(1) for complete information. The telnet client uses a session key even after the service ticket, from which it was derived, has expired. This means that the telnet session remains active even after the ticket originally used to gain access is no longer valid. This is insecure in a strict environment; however, the tradeoff between ease-of-use and strict security tends to lean in favor of ease-of-use in this situation. HP recommends that the telnet connection be re-initialized periodically by disconnecting and reconnecting with a new ticket. The overall lifetime of a ticket is defined by the KDC, normally defined to be eight hours.

Common Internet File System (CIFS)

The CIFS Client supports the Kerberos authentication mechanism. To authenticate, CIFS uses the standard procedures of RFC 2478 (GSS-API), which allow a client or server to call for authentication independently of the final choice of authentication method. Use of Kerberos in the CIFS environment provides significant security improvements over the older NT LanManager (NTLM) protocol traditionally used by CIFS Clients and Servers.

Secure Shell

HP-UX Secure Shell offers transparent encrypted security for HP-UX 11.0, 11i v1, 11i v1.6, and 11i v2. It is a Kerberized application that can use Kerberos as an authentication method. The