|
HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration
Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH
Using Kerberos with TCP/IP SSH for OpenVMS or TCP/IP Telnet
for OpenVMS, you can authenticate your SSH or Telnet connections
between OpenVMS systems. An OpenVMS account and a corresponding Kerberos principal
are required to use both “Kerberized” Telnet and
SSH. For each OpenVMS user you create, create a Kerberos principal
that exactly matches (including case) its OpenVMS account name.
Passwords do not need to match. To configure Kerberos to use TCP/IP SSH for OpenVMS or TCP/IP
Telnet for OpenVMS, or both, perform the following steps. Then
see “Configuring HP TCP/IP
Services for OpenVMS SSH with Kerberos”, or “Configuring HP TCP/IP Services for OpenVMS
Telnet with Kerberos” and follow
the instructions in the section that applies to you. Create
the principal. For the Kerberos configuration, you can
use either DCL or UNIX-style commands to create the principal. The
first example below shows the DCL commands. The second example shows
the UNIX-style commands. Both styles of commands are entered on
an OpenVMS system. |
DCL: $ KERBEROS/ADMIN KerberosAdmin> login “SYSTEM/admin” Enter password: Authenticating as principal SYSTEM/admin with password. KerberosAdmin> list principal K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KerberosAdmin> create principal “USER1” Authenticating as principal SYSTEM/admin with password. WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy Enter password for principal “USER1@NODE1.HP.COM”: Re-enter password for principal “USER1@NODE1.HP.COM”: Principal “USER1@NODE1.HP.COM” created. KerberosAdmin> list principal Authenticating as principal SYSTEM/admin with password. K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM UNIX: $ kinit “SYSTEM/admin” Password for SYSTEM/admin@NODE1.HP.COM: $ kadmin Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Enter password: KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KADMIN: addprinc “USER1” WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy Enter password for principal “USER1@NODE1.HP.COM”: Re-enter password for principal “USER1@NODE1.HP.COM”: Principal “USER1@NODE1.HP.COM” created. KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM
|
|
Create the Kerberos
host principals. For the Kerberos configuration, you
can use either DCL or UNIX-style commands to create the principal.
The first example below shows the DCL commands. The second example
shows the UNIX-style commands. |
DCL: KerberosAdmin> create principal/random “host/node1.hp.com@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal “host/node1.hp.com@NODE1.HP.COM” created. KerberosAdmin> create principal/random “host/node1@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal “host/node1@NODE1.HP.COM” created. KerberosAdmin> list principal Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM host/node1.hp.com@NODE1.HP.COM host/node1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KerberosAdmin> create keytab “host/node1.hp.com@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> create keytab “host/node1@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> list keytab Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) KerberosAdmin> exit $ UNIX: KADMIN: addprinc -randkey “host/node1.hp.com@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal “host/node1.hp.com@NODE1.HP.COM” created. KADMIN: addprinc -randkey “host/node1@NODE1.HP.COM” Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal “host/node1@NODE1.HP.COM” created. KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM host/node1.hp.com@NODE1.HP.COM host/node1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/history@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KADMIN: ktadd “host/node1.hp.com@NODE1.HP.COM” KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KADMIN: ktadd “host/node1@NODE1.HP.COM” KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KADMIN: ktlist host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) KADMIN: exit $
|
|
|
|