HPlogo Installing and Administering Internet Services: HP 9000 Networking > Chapter 11 Secure Internet Services

Overview of the Secure Internet Services

» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

Network security concerns are becoming increasingly important to the computer system user. The purpose of the Secure Internet Services is to allow the user greater security when running these services.

When an Internet Services client connects to the server daemon, the server daemon requests authentication. The Secure Internet Services authenticate, or in other words validate, the identity of the client and server to each other in a secure way. Also, with the Secure Internet Services, users are authorized to access an account on a remote system by the transmission of encrypted tickets rather than by using the traditional password mechanism. The traditional password mechanism, used with non-secure Internet Services, sends the password in a readable form (unencrypted) over the network. This creates a security risk from intruders who may be listening over the network.

The Secure Internet Services are meant as replacements for their non-secure counterparts. The main benefit of running the Secure Internet Services is that user authorization no longer requires transmitting a password in a readable form over the network. Authorization is the process in which servers verify what access remote users should have on the local system.

The Secure Internet Services may only be used in conjunction with software products that provide a Kerberos V5 Network Authentication Services environment (for example, the HP DCE Security Service or the Praesidium/Security Service). The network authentication mechanism ensures that the local and remote hosts are mutually identified to each other in a secure and trusted manner and that the user is authorized to access the remote account.

For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5 authentication involves sending encrypted tickets instead of a readable password over the network to verify and identify the user. Although rcp/remshd and remsh/remshd (used with a command) do not prompt for a password, using these services with the Kerberos V5 authentication provided when the Secure Internet Services mechanism enabled ensures that the user is authorized to access the remote account. (If remsh is used with no command specified, rlogin/rlogind is invoked.)

If any of the Secure Internet Services are installed in an environment where some of the remote systems on the network are running without the Secure Internet Services mechanism enabled, you can use a special command line option to bypass Kerberos authentication to access those remote systems. However, if a password is required to access the system, the password is sent in a readable form over the network. See “Bypassing and Enforcing Kerberos Authentication” for more information.

CAUTION: None of the Secure Internet Services encrypts the session beyond what is necessary to authorize the user or authenticate the service. So, these services do not provide integrity-checking or encryption services on the data or on remote sessions.
© 2000 Hewlett-Packard Development Company, L.P.