 |
» |
|
|
|
The tasks you should do if you want to verify that the Secure
Internet Services have been configured correctly are described in
the paragraphs below. Secure Environment Checklist | |
The following is a quick checklist to verify that the secure
environment is properly configured. On the KDC, issue a ps -ef command and verify that the necessary security
server executables are running. Look for secd on an HP DCE Security Service or an HP P/SS, or
for krb5kdc on a non-HP Kerberos V5 KDC. Use an appropriate tool to verify that the desired
principals exist in the KDC database. This can usually be done remotely.
For the HP DCE Security Service and the HP P/SS, use dcecp. Issue an insetsvcs_sec status command to determine whether the Secure Internet
Services mechanism is enabled (see “Checking the Current Authentication Mechanism”). Ensure that the following entries exist in the /etc/services file or in the NIS or NIS+ services database: kerberos5 88/udp kdc
klogin 543/tcp
kshell 544/tcp krcmd kcmd |
Ensure that the following entries exist in /etc/inetd.conf: klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K
kshell stream tcp nowait root /usr/lbin/remshd remshd -K
ftp stream tcp nowait root /usr/lbin/ftpd ftpd
telnet stream tcp nowait root /usr/lbin/telnetd telnetd |
Different options may be set from the default options shown
above. If you modified the /etc/inetd.conf file, you must run the inetd -c command to force inetd to reread its configuration file. To ensure that the client configurations are correct,
invoke the validation application, krbval. The krbval tool checks for proper configuration of security
clients. It can be used to "ping" a particular realm's
KDC. It can also check the keys in the keytab file for agreement
with the KDC. By acting as a client/daemon service itself, it can
further assist in verifying the correctness of the configuration. For more information refer to the krbval(1M) man page. The krbval tool is also described in Using
HP DCE 9000 Security with Kerberos Applications, available
in postscript and ASCII form in the directory /opt/dce/newconfig/RelNotes/ in the files krbWhitePaper.ps and krbWhitePaper.text. For information about krbval, you can also see Appendix C ("Using
Praesidium/Security Service with Kerberos Applications")
in Planning and Configuring Praesidium/Security Service.
Verifying Usage of Secure Internet Services | |
You may first want to read the section “Using the Secure Internet
Services” before
continuing with this section. Obtain a TGT (ticket granting ticket) from the KDC. On an
HP DCE security client, use the dce_login command. On an HP P/SS security client, use the dess_login command. On an HP Kerberos client or a non-HP
Kerberos client, use the kinit command. Invoke the desired Secure Internet Service in the
same manner as in a non-secure environment. If the Secure Internet Services mechanism is enabled successfully, the
only visible difference in ftp, rlogin, and telnet from execution on a non-secure system will be
that, if a password was required on the non-secure version, then
the password prompt will not be displayed on the secure version.
Also, for telnet, the logon prompt is not displayed If the Secure Internet Services mechanism is enabled successfully, there
are no visible differences in remsh (used with a command) and rcp from execution on a non-secure system. Before logging off the local system, invoke the
command kdestroy. This will remove the credentials cache file.
|
