HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH

 » Table of Contents

 » Glossary

 » Index

Using Kerberos with TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, you can authenticate your SSH or Telnet connections between OpenVMS systems.

An OpenVMS account and a corresponding Kerberos principal are required to use both “Kerberized” Telnet and SSH. For each OpenVMS user you create, create a Kerberos principal that exactly matches (including case) its OpenVMS account name. Passwords do not need to match.

To configure Kerberos to use TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, or both, perform the following steps. Then see “Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos”, or “Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos” and follow the instructions in the section that applies to you.

  1. Create the principal. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal.

    The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system.

         DCL:

    $ KERBEROS/ADMIN
    KerberosAdmin> login “SYSTEM/admin”
    Enter password:
    Authenticating as principal SYSTEM/admin with password.
    KerberosAdmin> list principal
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KerberosAdmin> create principal “USER1”
    Authenticating as principal SYSTEM/admin with password.
    WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to
    no policy
    Enter password for principal “USER1@NODE1.HP.COM”:
    Re-enter password for principal “USER1@NODE1.HP.COM”:
    Principal “USER1@NODE1.HP.COM” created.
    KerberosAdmin> list principal
    Authenticating as principal SYSTEM/admin with password.
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    USER1@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM

    UNIX:

    $ kinit “SYSTEM/admin”
    Password for SYSTEM/admin@NODE1.HP.COM:
    $ kadmin
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Enter password:
    KADMIN: listprincs
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KADMIN: addprinc “USER1”
    WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy
    Enter password for principal “USER1@NODE1.HP.COM”:
    Re-enter password for principal “USER1@NODE1.HP.COM”:
    Principal “USER1@NODE1.HP.COM” created.
    KADMIN: listprincs
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    USER1@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
  2. Create the Kerberos host principals. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands.

         DCL:

    KerberosAdmin> create principal/random “host/node1.hp.com@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Principal “host/node1.hp.com@NODE1.HP.COM” created.
    KerberosAdmin> create principal/random “host/node1@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Principal “host/node1@NODE1.HP.COM” created.
    KerberosAdmin> list principal
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    USER1@NODE1.HP.COM
    host/node1.hp.com@NODE1.HP.COM
    host/node1@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KerberosAdmin> create keytab “host/node1.hp.com@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
    kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
    keytab WRFILE=krb$root:[etc]krb5.keytab.

    KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
    kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
    WRFILE=krb$root:[etc]krb5.keytab.

    KerberosAdmin> create keytab “host/node1@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
    kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
    keytab WRFILE=krb$root:[etc]krb5.keytab.

    KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
    kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
    WRFILE=krb$root:[etc]krb5.keytab.

    KerberosAdmin> list keytab
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
    HMAC/sha1)
    host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
    host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
    HMAC/sha1)
    host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
    KerberosAdmin> exit
    $

    UNIX:

    KADMIN: addprinc -randkey “host/node1.hp.com@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Principal “host/node1.hp.com@NODE1.HP.COM” created.
    KADMIN: addprinc -randkey “host/node1@NODE1.HP.COM”
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Principal “host/node1@NODE1.HP.COM” created.
    KADMIN: listprincs
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    USER1@NODE1.HP.COM
    host/node1.hp.com@NODE1.HP.COM
    host/node1@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KADMIN: ktadd “host/node1.hp.com@NODE1.HP.COM”
    KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
    kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
    keytab WRFILE=krb$root:[etc]krb5.keytab.

    KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
    kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
    WRFILE=krb$root:[etc]krb5.keytab.
    KADMIN: ktadd “host/node1@NODE1.HP.COM”
    KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
    kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
    keytab WRFILE=krb$root:[etc]krb5.keytab.

    KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
    kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
    WRFILE=krb$root:[etc]krb5.keytab.
    KADMIN: ktlist
    host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
    HMAC/sha1)
    host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
    host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
    HMAC/sha1)
    host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
    KADMIN: exit
    $