This chapter explains how to use the Kerberos authentication system.
Kerberos provides a secure way of proving a user's identity across an unsecure network. It does this without transmitting passwords where an intruder could see them. MultiNet has several enhanced or Kerberized commands including RCP, RLOGIN, RSHELL, and TELNET.
The process of proving one's identity is called authentication. Deciding whether or not to allow access to a resource is called authorization. Kerberos is an authentication system. Because authentication is a prerequisite to authorization, an application can make an authorization decision (for example, deciding to permit you to log in) based on your identity as authenticated by Kerberos.
Kerberos maintains a list of users and their encrypted passwords. Before you can use Kerberized commands, your system manager must have added your name to this list. You can only use Kerberized commands if you have a ticket for the command you wish to use. Analogous to the tickets you purchase when you go to a movie, Kerberos tickets permit you to invoke Kerberized utilities while you are logged in.
To use Kerberos, you must first:
· Acquire an initial ticket when you log in. This initial ticket, known as a ticket-getting ticket (or TGT), enables you to automatically get other tickets you will need to access application servers. You may also need to acquire another TGT when a previous one expires.
· Delete tickets before you log out. It is very important to remember to delete your tickets any time you leave your terminal! If another user "borrows" your tickets, you can be locked out of the network or impersonated by the intruder.
·
Always run Kerberized utilities with the /AUTH qualifier. (The full form of the qualifier is
/AUTHENTICATION=KERBEROS)
· Change your Kerberos password at least once a month.
Note: The instructions in this chapter apply to Kerberos V4. MultiNet has added Kerberos V5 functionality to the TELNET and SSH applications only. Kerberos V5 database and ticket management functionality can be obtained with the HP Kerberos for OpenVMS product.
|
Kerberos security helps protect you and other users from data theft and other possible security breaches. You are the ultimate security element in making sure your files are safe; it is up to you to choose a password that is not easily guessed, and delete your tickets before you log out.
Before continuing with this chapter, make sure Kerberos is available on your system by asking your system manager these questions:
1. Is Kerberos enabled?
2. Has a Kerberos principal been created for me?
3. Do I need to get and delete Kerberos tickets?
· If the answer to all three questions is yes, read this chapter.
· If Kerberos is not enabled, skip to the next chapter.
· If no Kerberos principal exists, your system manager must add one for you before you can use Kerberos.
· If you answered no only to question 3, and yes to questions 1 and 2, you only need to read the section on changing your Kerberos password for information on changing your Kerberos password. All other commands are handled automatically on your system.
To acquire your initial ticket-getting ticket, enter this command from the DCL command line:
$ MULTINET
KERBEROS INIT
This node is: holmes.example.com
Kerberos Initialization for "john"
Password: password
If you need to be authenticated as another user, use the /USERNAME qualifier. Use the /REALM qualifier to be authenticated in another realm. (A realm is an administrative name for a site, system, or other organizational entity.)
You can delete tickets with this command:
$ MULTINET KERBEROS DESTROY
You can use the MULTINET KERBEROS INIT command with the /USERNAME qualifier to obtain tickets under another user name. For example, if you gained access to the system through a GUEST login, but you want to continue access to the network as yourself, you could use the /USERNAME qualifier with the MULTINET KERBEROS INIT command to specify your own user name. When you issue this form of the command, you are prompted for the other user's Kerberos password.
To access a remote system as another user, use both the /AUTH and /USERNAME qualifiers with the RCP, RLOGIN, RSHELL, and TELNET commands.
The RCP, RLOGIN, RSHELL, and TELNET commands all support the /AUTHENTICATION=KERBEROS qualifier (specify this qualifier first before any other qualifiers). You can shorten this qualifier to /AUTH. For example:
$ RLOGIN/AUTH EXAMPLE.COM
You can use the /USERNAME qualifier with the /AUTH qualifier to specify the user name you want to use to log into the remote system.
You can check the status of your tickets with the MULTINET KERBEROS LIST utility. For example, to test the status from the command line, enter:
$ MULTINET
KERBEROS LIST
Principal: john@EXAMPLE.COM
Issued Expires Principal
June 13 16:16:47 June 14 00:16:47 krbgt.TROIKA.FOO@TROIKA.FOO
$
The utility also provides the /CHECK_TGT qualifier so you can test whether your ticket-getting ticket has already expired. If the ticket has expired, run MULTINET KERBEROS INIT again. The following command procedure tests your ticket status:
$! Test ticket status
$!
$ MULTINET KERBEROS LIST /CHECK_TGT
$ IF $STATUS THEN WRITE SYS$OUTPUT "Okay"
If the tickets are valid, $STATUS is true. If the tickets have expired, $STATUS is false.
You can change your Kerberos password with this command:
$ MULTINET
KERBEROS PASSWORD
Old password for holmes: ********
New password for holmes: ********
Verifying, re-enter New password for holmes: ********
$
Use these guidelines for selecting a Kerberos user password:
· Kerberos passwords are case-sensitive so if you press the SHIFT key when you create the password, you must always press the key at the same point when entering the password.
· Kerberos passwords can be up to 64 characters long.
· Spaces and control characters are not permitted. In addition, you cannot use the DELETE key to correct a misspelling when entering a password.
· Select a password that is not a name, proper noun, and preferably not a common word. Intersperse letters and numbers in the string.