Step 4. To obtain access to a secured network service such as rlogin, rsh, rcp, ftp, or telnet, the requesting client application uses the previously obtained TGT in a dialogue with the TGS to obtain a service ticket. The protocol is the same as used while obtaining the TGT, except that the messages contain the name of the server and a copy of the previously obtained TGT.

Step 5. The TGS returns a new service ticket that the application client can use to authenticate the service.

Step 6. The application client tries to authenticate to the service on the application server using the service ticket obtained from the TGS.

The secure application validates the service ticket using the server’s service key present in the key tab file. Using this service key, the server decrypts the authenticator and verifies the identity of the user. It also verifies that the user’s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client.

Step 7. (Optional) At the client’s request, the application server can also return the time stamp the client sent encrypted in the session key. This ensures a mutual authentication between the client and the application server.

Kerberos Products on HP-UX

HP-UX supports the following Kerberos products. All HP-UX Kerberos products conform to the IETF specification for Kerberos Version 5 and are compliant with IETF RFC 1510.

ƒPAM Kerberos

ƒKerberos Client Software

ƒHP Kerberos Server Version 3.1

ƒGeneric Security Service Application Programming Interface (GSS-API)

PAM Kerberos (PAM-Kerberos)

The Kerberos implementation of PAM is based on RFC 86.0 of the Open Software Foundation. PAM allows multiple authentication technologies to co-exist on HP-UX.

The PAM framework allows options for account, session, password, and authentication management. PAM uses the Kerberos protocol for authentication management.