Installing and Administering Internet Services
Chapter 11 447
Secure Internet Services
Configuration and Kerberos Version Interoperability Requirements
• The V5 Beta 4 configuration file, realms file, and keytab file must
exist, and the V5-1.0 configuration file and keytab file must exist, as
explained in “Beginning with HP-UX 11.0” on page 444.
•A$HOME/.k5login file must exist in each login user’s home directory.
This file must be owned by the login user, and only the login user can
have write permission.
This file lists the user principals and their associated realm or cell
names that have access permission to the login user’s account. The
user principals are for the user that originally performed the kinit,
dce_login, or dess_login command. The term “login user” refers to
the user whose account is being accessed on the remote host. This is
not necessarily the same user who originally issued the kinit,
dce_login, or dess_login command.
Assume amy has already issued the kinit command. In this example,
amy enters the following:
$ rlogin hostA -l robert
In this example, robert is the login user, and amy must have an entry
in Robert’s $HOME/.k5login file on the application server (hostA).
Alternatively, the client can use an authorization name database file
called /krb5/aname. An entry in this file will authorize a user
principal name to the specified login name. A tool for the
administration of an aname file is not provided by DCE or P/SS.
For the Secure Internet Services, login is allowed even without
entries in the login user’s $HOME/.k5login file or the aname database,
provided that the login user’s name matches the user principal user’s
name, and that the Kerberos realm of the client matches the default
realm of the application server.
• The login user must have an entry in the /etc/passwd file on the
application server.