Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2/2008
46
Buffy has an existing login to the system atcuxvm5.rose.hp.com. A “klist” command shows that she
has her default principals. She executes a telnet to the system atcuxvm6.rose.hp.com, and gains
access without providing a password. The SIS telnet feature is more verbose than rlogin, so we get to
see explicit messaging from the system about the status of the login attempt, which is nice. After
exiting the atcuxvm6 session, another klist on her original session on atcuxvm5 reveals that she now
has the host/atcuxvm6.rose.hp.com@ATCWIN1.HP.COM
principal – exactly like the rlogin trace.
The associated Wireshark trace proves that this principal was acquired from the KDC during the
rlogin, and that the POSIX credentials were retrieved from the KDC as well. Buffy’s session was
authenticated on atcuxvm6 using the host principal that she retrieved from the KDC.
Popular perception claims that telnet is superior to rlogin. In the case of SIS on HP-UX with Unified
Login, the only additional effort to ensure that telnet works is to include the three default enctypes in
the krb5.conf file, as described in the PAM Kerberos configuration topic.