sis.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

sis(5) sis(5)

NAME

sis - secure internet services with Kerberos authentication and authorization

DESCRIPTION

Secure Internet Services (SIS) provides network authentication when used in conjunction with HP

DCE security services, the HP Praesidium/Security Server, or other software products that provide a Ker-

beros V5 Network Authentication Services environment. The network authentication ensures that a local

and remote host will be mutually identiﬁed to each other in a secure and trusted manner and that the

user is authorized to use the service on the remote host.

Traditional internet services such as

telnet, rlogin,orftp, allow the user to access remote systems

by typing a password that is then transmitted to the remote system over the network. The password is

transmitted without encryption over the network, permitting an observer to capture the cleartext packets

containing the password. This has been a major security hole for traditional internet services.

The optional Secure Internet Services are a replacement for their traditional counterparts and prevent

the cleartext transmission of user passwords over the network. However, none of these services will

encrypt the session beyond what is necessary to authenticate the service or authorize the user.

This manpage assumes the reader is familiar with Kerberos terminology normally provided with your

Kerberos V5 Network Authentication Services environment. The intent here is to describe those aspects

of the Kerberos environment speciﬁcally used by SIS.

Authentication

For Kerberos authentication to succeed, the user must have successfully logged into a system within the

Kerberos realm and obtained a set of credentials. The credentials include a Ticket Granting Ticket (TGT)

and a session key. The SIS client will use the TGT to obtain a service ticket to access a SIS daemon on

the network. If the credentials are missing or the TGT is invalid, the authentication will fail and connec-

tion to the SIS daemon will be denied.

For systems conﬁgured into a DCE cell, credentials are obtained through the

dce_login

command.

For systems conﬁgured into a Praesidium/Security Server cell, credentials are obtained through the

dess_login command. In a non-DCE Kerberos-based secure environment, credentials are obtained

through the kinit command.

Authorization

For every user of these services, a user principal must be conﬁgured into the Key Distribution Center’s

database. The user principal allows the user to obtain a service ticket which is sent to the remote service

as part of the Kerberos authentication mechanism. If the authentication is successful, the user principal

is then used as part of the Kerberos authorization mechanism.

In order for the authorization to succeed, both of the following requirements must be met:

1. The login name must exist in the remote system’s password ﬁle, that is, the remote account must

exist. Note: The login name is the name speciﬁed by the user in response to a login prompt and

may be different from the current user name.

2. One of the following conditions must be true:

A. The remote account’s home directory has a

.k5login ﬁle that contains the user principal.

The .k5login ﬁle must be owned by that account and only that account can have write per-

mission (that is, the permissions would appear as -rw-r--r--).

Note: In the remote system, if the

/etc/krb5/ directory exists, Kerberos ignores the

.k5login ﬁle in the remote account’s home directory.

B. The remote system has a

.k5login.login_name ﬁle or symbolic link in the /etc/krb5/

directory that contains the user principal. If the /etc/krb5/ directory does not exist, Ker-

beros checks the .k5login ﬁle in the remote account’s home directory. If the /etc/krb5/

directory exists, Kerberos ignores the .k5login ﬁle in the remote account’s home directory.

The format of the entries in the

.k5login.login_name ﬁle is similar to the entries in the

.k5login ﬁle. The .k5login.login_name ﬁle (or symbolic link) and /etc/krb5/ direc-

tory must be owned by the root user and only the root user must have write permission (that

is, -rw-r--r--). To give privileges to a user to handle the .k5login.login_name ﬁle, an

administrator can create a .k5login.login_name symbolic link to the .k5login ﬁle in

remote account’s home directory.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
sis(5) sis(5) NAME sis - secure internet services with Kerberos authentication and authorization DESCRIPTION Secure Internet Services (SIS) provides network authentication when used in conjunction with HP DCE security services, the HP Praesidium/Security Server, or other software products that provide a Kerberos V5 Network Authentication Services environment.
PAGE 2
sis(5) sis(5) C. The remote system has an authorization name database file, aname, that contains the user principal. The aname file should contain a mapping of the user principal to an account on the remote system. D. The user name in the user principal is the same as the user name of the account being accessed, and the local and remote systems are in the same realm.
PAGE 3
sis(5) sis(5) 6 If krbval is available on the local and remote systems, use it to test the Kerberos configuration by invoking it to act as a client application on the local system and a server application on the remote system. See krbval (1M) for details. 7. The SIS files must be installed. The traditional services will have been saved and the files for the new services will be linked to the original, traditional file names.
PAGE 4
sis(5) sis(5) Authentication succeeded but authorization failed. The user should verify that their user name is listed in /etc/krb5/.k5login.login_name or ˜/.k5login or in the aname file on the remote system. The user’s ˜/.k5login must have the correct permissions and must be owned by the user (that is, -rw-r--r--). This error is logged by all SIS daemons. ERROR! Principal principal (remote_user @remote_host ) logging in as local_user failed ruserok. The /etc/hosts.equiv or ˜/.