Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 657 — #683
i
i
i
i
i
i
i
i
26
Security in the Network
With this command, any connection directed to earth port 25 (SMTP) is redi-
rected to the SMTP port on sun via an encrypted channel. This is especially
useful for those using SMTP servers without SMTP-AUTH or POP-before-
SMTP features. From any arbitrary location connected to a network, e-mail
can be transferred to the “home” mail server for delivery. Similarly, all
POP3 requests (port 110) on earth can be forwarded to the POP3 port of
sun with this command:
ssh -L 110:sun:110 earth
Both commands must be executed as root, because the connection is made
to privileged local ports. E-mail is sent and retrieved by normal users
in an existing SSH connection. The SMTP and POP3 host must be set to
localhost for this to work. Additional information can be found in the
manual pages for each of the programs described above and also in the
files under /usr/share/doc/packages/openssh.
26.5 Network Authentication —
Kerberos
An open network provides no means to ensure that a workstation can iden-
tify its users properly except the usual password mechanisms. In common
installations, the user must enter the password each time a service inside
the network is accessed. Kerberos provides an authentication method with
which a user must register once and is then trusted in the complete net-
work for the rest of the session. To have a secure network, the following
requirements must be met:
Have all users prove their identity for each desired service and make
sure no one can take the identity of someone else.
Make sure each network server also proves its identity. If you do not,
an attacker might be able to impersonate the server and obtain sensi-
tive information transmitted to the server. This concept is called mu-
tual authentication, because the client authenticates to the server and
vice versa.
Kerberos helps you meet the above requirements by providing strongly
encrypted authentication. The following shows how this is achieved. Only
the basic principles of Kerberos are discussed here. For detailed technical
instruction, refer to the documentation provided with your implementation
of Kerberos.
657SUSE LINUX Enterprise Server