Manualshelf

HP-UX Secure Shell Getting Started Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
41424344454647484950
their user ID and password. Kerberos Administrators must use a communication method
that complies with security policies of their organization.
NOTE: The Kerberos administrator can use the following administrative tools to create
user information:
/opt/krb5/admin/kadminl or /opt/krb5/admin/kadminl_ui if the Kerberos
administrator is local.
/opt/krb5/admin/kadmin or /opt/krb5/admin/kadmin_ui if the Kerberos
administrator is remote.
For more information on these administrative tools, see the Kerberos Server Version 3.12
Administrator’s Guide available at: http://www.docs.hp.com/en/internet.html#Kerberos
3. The Kerberos administrator must generate service principals for every service (for example,
/opt/ssh/sbin/sshd) that supports Kerberos authentication. A service principal consists
of a service name, the fully qualified domain name of the host name, and the Kerberos realm
name. By default, the service principals are stored in the /opt/krb5/v5srvtab file on the
Kerberos server.
4. The Kerberos administrator must extract the required service principal.
If you are the Kerberos administrator, use the following command to extract the service
principal:
# /opt/krb5/admin/kadminl
The following output is displayed:
Connecting as: K/M
Connected to krb5v01 in realm casy.india.hp.com.
Command:
Enter the ext command to extract the host service principal.
The /opt/krb5/adm/kadmin command prompts for the service key table file name, as
follows:
Service Key Table File Name (/opt/krb5/v5srvtab):
The default service key table file name is /opt/krb5/v5srvtab. You can specify a different
file name (for example /etc/krb5.keytab) for the service key table because the /opt/
krb5/v5srvtab file is not accessible by services (for example, sshd). The Kerberos
administrator must communicate the location of the service key table file name to the users.
5. Copy the /etc/krb5.keytab file from the Kerberos server to the /etc directory on the
HP-UX Secure Shell server.
6. To ensure that the service principal is copied properly, run the following command on the
HP-UX Secure Shell server:
# klist -k
The following output is displayed:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----------------------------------------------------------
1 host/pluto.mydomain.com@MYDOMAIN.COM
7. The HP-UX Secure Shell client and server must contain the Kerberos configuration file
(/etc/krb5.conf) that points to the KDC service. The /etc/krb5.conf file is a network
configuration file and does not contain any security-specific information. For a sample /etc/
krb5.conf configuration file, see Appendix B (page 97).
Configuring Kerberos Authentication 41