Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Secure Internet Services (SIS)
Chapter 8 853
Environment
SIS requires a Kerberos V5 network authentication services
environment which includes a properly configured Key Distribution
Center (KDC). Supported KDCs are the HP DCE security server, the HP
Praesidium/Security Server, or any third-party KDC based on Kerberos
Version 5 Release 1.0. A properly configured KDC must be running for
the Secure Internet Services to work.
Operating with Secure and Nonsecure Systems
Depending on how certain options are used with these services, the SIS
clients may still be able to access nonsecure remote hosts and the
daemons will still be able to accept requests from nonsecure clients.
If any of the SIS services are installed in an environment where some of
the remote systems on the network are nonsecure, you can use the -P
command line option to bypass Kerberos authentication. However, if
accessing the host requires a password, the password will be sent in a
readable form over the network.
To protect the integrity of passwords on servers, you can prevent remote
users from gaining access in a nonsecure manner. For ftpd and telnetd
to prevent access from nonsecure clients, these daemons should be
invoked with the -A option. This option enforces Kerberos
authentication. For remshd and rlogind to prevent access from
nonsecure clients, the entries for shell and login in the
/etc/inetd.conf file should be commented out. For any service, if these
steps are taken, the client cannot use the -P option to bypass
authentication for that service.