HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

481

482

483

484

485

486

487

488

489

490

sis(5) sis(5)

6. If krbval is available on the local and remote systems, use it to test the Kerberos conﬁguration by

invoking it to act as a client application on the local system and a server application on the remote

system. See krbval(1M) for details.

7. The SIS ﬁles must be installed. The traditional services will have been saved and the ﬁles for the new

services will be linked to the original, traditional ﬁle names.

DIAGNOSTICS

In addition to Kerberos-speciﬁc error messages, SIS has a few security related error messages that are

common to several or all of the services. These error messages can be used by scripts to detect whether the

invocation of a service has failed.

Error and Warning Messages Reported by the SIS Clients

ERROR! Kerberos authentication failed.

The user has not obtained a valid Ticket Granting Ticket (through

kinit, dce_login ,or

dess_login ) or a valid host principal has not been conﬁgured in the Key Distribution Center’s

database for the realm. A more speciﬁc error message indicating the possible cause of the failure will

accompany this error message.

This error message will also be generated if the user attempts to access a nonsecure remote system.

In which case, this message will be preceded by the message: To bypass Kerberos authen-

tication, use the -P option .

This error is reported by ftp, rlogin and telnet.

ERROR! Kerberos-specific options are invalid with the -P option.

The -P command-line option indicates that Kerberos authentication should not be performed. If any

Kerberos-speciﬁc options are also speciﬁed on the command line, then they are in contradiction to this

request.

For remsh and rlogin, this means the -P option can not be used in conjunction with the

-F, -f,

-k options.

For rcp this means the -P option can not be used in conjunction with the

-k option.

For

telnet, this means the -P option cannot be used in conjunction with the

-a or -l options.

WARNING! Password will be sent in a non-secure manner.

WARNING! Kerberos authentication will be bypassed.

The user has speciﬁed the -P option on the command line to access a nonsecure remote system or to

bypass a bad conﬁguration in the Kerberos environment.

In the cases where a password is requested, the -P command-line option will cause the password to

be sent across the network in a readable form where it could possibly be intercepted or captured.

It is recommended that the user corrects a bad conﬁguration and only uses the

-P option if the

remote system is nonsecure.

The ﬁrst warning is reported by

ftp, rlogin, and telnet. The second warning is reported by

rcp. remsh could report either warning depending upon whether a password is required.

Error Messages Reported in the syslog by the SIS Daemons

ERROR! Access denied. Kerberos authentication must succeed.

The daemon was started with the -A command-line option to ensure that nonsecure access by remote

systems will be denied. The user cannot access the remote system unless the local system has been

conﬁgured for secure access.

This error is logged by ftpd and telnetd.

ERROR! Principal principal (remote_user @remote_host ) logging in as local_user has no

account.

The local_user does not have a valid password ﬁle entry.

This error is logged by all SIS daemons.

ERROR! Principal principal (remote_user @remote_host ) logging in as local_user failed

krb5_userok.

HP-UX 11i Version 3: February 2007 − 3 − Hewlett-Packard Company 481