Manualshelf

User Manual

ManualsBrandsLantronix ManualsComputers & AccessoriesLantronix Scs1600 Secure Consolesrvr 16- RJ45 Rs232 Ser to Enet 10/100 RJ45
161162163164165166167168169170
Security Database Configuration
11-11
11.4.1.6 Displaying the Local Database
Local database entries can be checked with the Show/Monitor/List Authentication User command. All
users, their passwords, and other parameters are listed.
Note: See Show/Monitor/List Authentication on page 12-178.
11.4.1.7 Purging the Local Database
To remove a particular user from the database, use the Clear/Purge Authentication User command. See
Clear/Purge Authentication on page 12-153 for a complete description of this command.
11.4.2 Kerberos
The Kerberos Authentication Service is a network-based authentication service. Passwords are always
transmitted in encrypted form. The SCS supports Kerberos version 4.
Kerberos is available as public-domain software and from commercial vendors. Please refer to your
Kerberos server documentation for detailed information about setting up a Kerberos server, registering
Kerberos clients, and administering a Kerberos network.
Kerberos advantages include the following:
Passwords are always encrypted; it is not possible to obtain a users password by eavesdropping on
a connection attempt.
Kerberos is a widely-accepted standard, and is proven to be secure.
The SCS may easily be added to an existing Kerberos network.
A large number of users may be supported.
Disadvantages include:
Configuring the Kerberos database can be complicated.
Kerberos does not guard against guessing a users password.
If the caller attempts to use CHAP for authentication, Kerberos cannot be used.
Note: Kerberos authentication is case-sensitive.
11.4.2.1 Configuring Kerberos
The Set/Define Authentication Kerberos commands are used for most of the Kerberos configuration
options.
1 Ensure that the SCS clock is synchronized with the clock on the Kerberos server. The Kerberos
authentication model attaches timestamps to the packets sent between the SCS and Kerberos server
to prevent replay attacks. The SCS timestamp is only allowed to deviate 5 minutes from the Kerberos
server clock before the packet is considered invalid, which would result in a failed authentication
attempt.