Manualshelf

Getting Started Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Data Security Software
31323334353637383940
1. On the Kerberos server, ensure that the following Kerberos daemons are running:
/opt/krb5/sbin/kadmind
/opt/krb5/sbin/kdcd
2. The Kerberos administrator must create user (client) information (user ID and key) for users
using the Kerberos service. The user information is stored on the KDC server and the Kerberos
administrator must communicate the user information to individual users. Users must know
their user ID and password. Kerberos Administrators must use a communication method that
complies with security policies of their organization.
NOTE: The Kerberos administrator can use the following administrative tools to create user
information:
/opt/krb5/admin/kadminl or /opt/krb5/admin/kadminl_ui if the Kerberos
administrator is local.
/opt/krb5/admin/kadmin or /opt/krb5/admin/kadmin_ui if the Kerberos
administrator is remote.
For more information about these administrative tools, see the Kerberos Server Version 3.12
Administrator’s Guide available at: http://www.hp.com/go/hpux-security-docs
3. The Kerberos administrator must generate service principals for every service (for example,
/opt/ssh/sbin/sshd) that supports Kerberos authentication. A service principal consists
of a service name, the fully qualified domain name of the host name, and the Kerberos realm
name. By default, the service principals are stored in the /opt/krb5/v5srvtab file on the
Kerberos server.
4. The Kerberos administrator must extract the required service principal.
If you are the Kerberos administrator, use the following command to extract the service
principal:
# /opt/krb5/admin/kadminl
The following output is displayed:
Connecting as: K/M
Connected to krb5v01 in realm casy.india.hp.com.
Command:
Enter the ext command to extract the host service principal.
The /opt/krb5/adm/kadmin command prompts for the service key table file name, as
follows:
Service Key Table File Name (/opt/krb5/v5srvtab):
The default service key table file name is /opt/krb5/v5srvtab. You can specify a different
file name (for example /etc/krb5.keytab) for the service key table because the /opt/
krb5/v5srvtab file is not accessible by services (for example, sshd). The Kerberos
administrator must communicate the location of the service key table file name to the users.
5. Copy the /etc/krb5.keytab file from the Kerberos server to the /etc directory on the
HP-UX Secure Shell server.
6. To ensure that the service principal is copied properly, run the following command on the
HP-UX Secure Shell server:
# klist -k
The following output is displayed:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
Configuring Kerberos Authentication 37