Manualshelf

HP-UX Reference (11i v1 00/12) - 5 Miscellaneous Topics, 7 Device (Special) Files, 9 General Information, Index (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
351352353354355356357358359360
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man5/!!!intro.5
________________________________________________________________
___ ___
s
sis(5) sis(5)
NAME
sis - secure internet services with Kerberos authentication and authorization
DESCRIPTION
Secure Internet Services (SIS) provides network authentication when used in conjunction with HP DCE
security services, the HP Praesidium/Security Server, or other software products that provide a Kerberos
V5 Network Authentication Services environment. The network authentication ensures that a local and
remote host will be mutually identified to each other in a secure and trusted manner and that the user is
authorized to use the service on the remote host.
Traditional internet services such as telnet, rlogin,orftp, allow the user to access remote systems
by typing a password that is then transmitted to the remote system over the network. The password is
transmitted without encryption over the network, permitting an observer to capture the cleartext packets
containing the password. This has been a major security hole for traditional internet services.
The optional Secure Internet Services are a replacement for their traditional counterparts and prevent the
cleartext transmission of user passwords over the network. However, none of these services will encrypt
the session beyond what is necessary to authenticate the service or authorize the user.
This man page assumes the reader is familiar with Kerberos terminology normally provided with your Ker-
beros V5 Network Authentication Services environment. The intent here is to describe those aspects of the
Kerberos environment specifically used by SIS.
Authentication
For Kerberos authentication to succeed, the user must have successfully logged into a system within the
Kerberos realm and obtained a set of credentials. The credentials include a Ticket Granting Ticket (TGT)
and a session key. The SIS client will use the TGT to obtain a service ticket to access a SIS daemon on the
network. If the credentials are missing or the TGT is invalid, the authentication will fail and connection to
the SIS daemon will be denied.
For systems configured into a DCE cell, credentials are obtained through the dce_login command. For
systems configured into a Praesidium/Security Server cell, credentials are obtained through the
dess_login command. In a non-DCE Kerberos-based secure environment, credentials are obtained
through the kinit command.
Authorization
For every user of these services, a user principal must be configured into the Key Distribution Center’s
database. The user principal allows the user to obtain a service ticket which is sent to the remote service
as part of the Kerberos authentication mechanism. If the authentication is successful, the user principal is
then used as part of the Kerberos authorization mechanism.
In order for the authorization to succeed, both of the following requirements must be met:
1. The login name must exist in the remote system’s password file, i.e, the remote account must exist.
Note: the login name is the name specified by the user in response to a login prompt and may be
different from the current user name.
2. One of the following conditions must be true:
A. The remote account’s home directory has a .k5login file that contains the user principal.
The .k5login file must be owned by that account and only that account can have write per-
mission (i.e., the permissions would appear as -rw-r--r--).
B. The remote system has an authorization name database file,
aname, that contains the user prin-
cipal. The
aname file should contain a mapping of the user principal to an account on the
remote system.
C. The user name in the user principal is the same as the user name of the account being accessed,
and the local and remote systems are in the same realm.
If authorization succeeds, the user will not see a prompt for a password (when a password is required) and
the connection to the remote system will succeed. If the authentication or authorization fails, the user will
be notified of the error and will not be allowed to continue.
Bypassing or Enforcing Authentication/Authorization
If the authentication or authorization fails, the service can be re-run with a special command line option (
-
P
) to request non-Kerberos authentication. However, when a password is required, it will be sent across
the network in a readable form. Typically, this special command line option should only be used to access
HP-UX Release 11i: December 2000 1 Section 5339
___
___