HP-UX Reference (11i v2 03/08) - 5 Miscellaneous Topics, 7 Device (Special) Files, 9 General Information, Index (vol 9)
s
sis(5) sis(5)
access non-secure remote systems.
The
ftp and telnet daemons have a special command line option (
-A) which can be used to ensure
that non-secure systems are denied access.
To prevent non-secure access through the rcp, remsh or rlogin commands, the
inetd.conf file on the
remote system should be edited to comment out the entries for
shell and login.
SERVICES
ftp, ftpd file transfer program
rlogin, rlogind remote login
telnet, telnetd user interface and server for Telnet protocol
rcp, remshd remote file copy
remsh, remshd execute from a remote shell
TROUBLESHOOTING
For the correct execution of SIS, it is important that the secure environment be properly installed,
configured and running. The following is a quick checklist to verify this:
1. The DCE, Praesidium/Security Server, or Kerberos security system should be running on the Ker-
beros server. The /etc/services file should contain entries for the Kerberos ports.
2. The user’s user principal must be entered into the Key Distribution Center’s database. Use the
appropriate tool (e.g.,
kadmin or HP DCE’s dcecp) to list the database and to verify that the user
has a user principal configured.
3. The Kerberos configuration directory on the local and remote systems should contain a
krb.conf,
krb.realms, and a server key table file. Generally, the Kerberos configuration directory will be
/krb5 and the server key table file will be named v5srvtab.
4. The user principal must be specified in
˜/.k5login on the local and remote systems. The
~/.k5login lists the principals and realm names which have access permission for the user’s
account.
Alternatively, the secure system can use an authorization name database,
aname, on the local and
remote systems. An entry in this file will authorize the user name in a user principal to the
specified login name.
Verify that
˜/.k5login exists, has the correct permissions (i.e., -rw-r--r--), and includes the user
principal. Or, use the appropriate tool (e.g., krb5_anadd on a non-HP DCE system) to verify that
the user principal is included in the aname file.
5. The server key table file on the remote system should contain a host principal. The root user can
verify the contents of the v5srvtab through the command:
klist -k.Ifklist supports the -k
option, type this command and verify that a host principal is listed.
Alternatively, if the validation tool,
krbval, is available on the system, use the command: krbval
-v.
6If
krbval is available on the local and remote systems, use it to test the Kerberos configuration by
invoking it to act as a client application on the local system and a server application on the remote
system. See krbval(1M) for details.
7. The SIS files must be installed. The traditional services will have been saved and the files for the
new services will be linked to the original, traditional file names.
DIAGNOSTICS
In addition to Kerberos-specific error messages, SIS has a few security related error messages that are
common to several or all of the services. These error messages can be used by scripts to detect whether
the invocation of a service has failed.
Error and warning messages reported by the SIS clients
ERROR! Kerberos authentication failed.
The user has not obtained a valid Ticket Granting Ticket (through kinit, dce_login,or
dess_login) or a valid host principal has not been configured in the Key Distribution Center’s
database for the realm. A more specific error message indicating the possible cause of the failure
Section 5−−286 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: August 2003