sis.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

sis(5) sis(5)

6Ifkrbval is available on the local and remote systems, use it to test the Kerberos conﬁguration by

invoking it to act as a client application on the local system and a server application on the remote

system. See krbval (1M) for details.

7. The SIS ﬁles must be installed. The traditional services will have been saved and the ﬁles for the

new services will be linked to the original, traditional ﬁle names.

DIAGNOSTICS

In addition to Kerberos-speciﬁc error messages, SIS has a few security related error messages that are

common to several or all of the services. These error messages can be used by scripts to detect whether

the invocation of a service has failed.

Error and Warning Messages Reported by the SIS Clients

ERROR! Kerberos authentication failed.

The user has not obtained a valid Ticket Granting Ticket (through

kinit, dce_login,or

dess_login) or a valid host principal has not been conﬁgured in the Key Distribution Center’s

database for the realm. A more speciﬁc error message indicating the possible cause of the failure

will accompany this error message.

This error message will also be generated if the user attempts to access a nonsecure remote system.

In which case, this message will be preceded by the message:

To bypass Kerberos

authentication, use the -P option .

This error is reported by ftp, rlogin and telnet.

ERROR! Kerberos-specific options are invalid with the -P option.

The -P command-line option indicates that Kerberos authentication should not be performed. If

any Kerberos-speciﬁc options are also speciﬁed on the command line, then they are in contradiction

to this request.

For

remsh and rlogin, this means the -P option can not be used in conjunction with the

-F, -f,

-k options.

For

rcp this means the -P option can not be used in conjunction with the

-k option.

For

telnet, this means the -P option cannot be used in conjunction with the

-a or -l options.

WARNING! Password will be sent in a non-secure manner.

WARNING! Kerberos authentication will be bypassed.

The user has speciﬁed the -P option on the command line to access a nonsecure remote system or

to bypass a bad conﬁguration in the Kerberos environment.

In the cases where a password is requested, the

-P command-line option will cause the password to

be sent across the network in a readable form where it could possibly be intercepted or captured.

It is recommended that the user corrects a bad conﬁguration and only uses the

-P option if the

remote system is nonsecure.

The ﬁrst warning is reported by

ftp, rlogin, and telnet. The second warning is reported by

rcp. remsh could report either warning depending upon whether a password is required.

Error Messages Reported in the syslog by the SIS Daemons

ERROR! Access denied. Kerberos authentication must succeed.

The daemon was started with the -A command-line option to ensure that nonsecure access by

remote systems will be denied. The user cannot access the remote system unless the local system

has been conﬁgured for secure access.

This error is logged by

ftpd and telnetd.

ERROR! Principal principal (remote_user @remote_host ) logging in as local_user has no

account.

The local_user does not have a valid password ﬁle entry.

This error is logged by all SIS daemons.

ERROR! Principal principal (remote_user @remote_host ) logging in as local_user failed

krb5_userok.

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3