Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Using Kerberos with TCP/IP KTELNET for OpenVMS, you can authenticate your Telnet connections between OpenVMS systems.
The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized Telnet is Version 5.3. If you are using a version of TCP/IP Services for OpenVMS prior to Version 5.5, you must download the Kerberized Telnet client (TCPIP$TELNET.EXE) and server (TCPIP$TELNET_SERVER.EXE) kits from http://h71000.www7.hp.com/openvms/products/kerberos/
| |
| |
| |
 | NOTE: If you download the Telnet client and server, you must copy TCPIP$TELNET.EXE and TCPIP$TELNET_SERVER.EXE to SYS$COMMON:[SYSEXE]. |
| |
| |
| |
You do not need to run these files directly. They are executed when you first run Telnet after following the instructions below.
To "Kerberize" your Telnet connections, perform the following steps.
Install and configure TCP/IP for OpenVMS Services Version 5.3 or higher.
Install and configure Kerberos for OpenVMS. If you have already installed OpenVMS Version 7.3-2 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/
Shut down Kerberos, if it is running, by entering the following command:
$ SYS$STARTUP:KRB$SHUTDOWN
Configure TCP/IP Services for OpenVMS by entering the following command:
$ @SYS$STARTUP:TCPIP$CONFIG
Select #2, Client components, from the TCP/IP Configuration Menu:
HP TCP/IP Services for OpenVMS Configuration Menu
Configuration options:
1 - Core environment
2 - Client components
3 - Server components
4 - Optional components
5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests
A - Configure options 1 - 4
[E] - Exit configuration procedure
Enter configuration option: 2Ensure that the Telnet service is stopped. If Telnet is already stopped, skip to step 8. If Telnet is not currently stopped, select #8, Telnet, from the TCP/IP Configuration Menu:
HP TCP/IP Services for OpenVMS Client Components Configuration Menu
Configuration options:
1 - DHCP Client Disabled Stopped
2 - FTP Client Enabled Started
3 - NFS Client Disabled Stopped
4 - REXEC and RSH Enabled Started
5 - RLOGIN Enabled Started
6 - SMTP Disabled Stopped
7 - SSH Client Enabled Started
8 - TELNET Enabled Started
9 - TELNETSYM Disabled Stopped
A - Configure options 1 - 9
[E] - Exit menu
Enter configuration option: 8NOTE: You must stop the Telnet service before you can begin to configure Kerberized Telnet. Stopping the Telnet service disconnects current Telnet sessions. Select #3, Stop service on this node, from the TCP/IP Configuration Menu:
TELNET configuration options:
1 - Enable service on all nodes
2 - Enable service on this node
3 - Stop service on this node
[E] - Exit TELNET configuration
Enter configuration option: 3Select [E], Exit menu, from the TCP/IP Configuration Menu:
Configuration options:
1 - DHCP Client Disabled Stopped
2 - FTP Client Enabled Started
3 - NFS Client Disabled Stopped
4 - REXEC and RSH Enabled Started
5 - RLOGIN Enabled Started
6 - SMTP Disabled Stopped
7 - SSH Client Enabled Started
8 - TELNET Enabled Stopped
9 - TELNETSYM Disabled Stopped
A - Configure options 1 - 9
[E] - Exit menu
Enter configuration option: ESelect #4, Optional components, from the TCP/IP Configuration Menu:
HP TCP/IP Services for OpenVMS Configuration Menu
Configuration options:
1 - Core environment
2 - Client components
3 - Server components
4 - Optional components
5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests
A - Configure options 1 - 4
[E] - Exit configuration procedure
Enter configuration option: 4Select #4, Configure Kerberos Applications, from the TCP/IP Configuration Menu:
HP TCP/IP Services for OpenVMS Optional Components Configuration Menu
Configuration options:
1 - Configure PWIP Driver (for DECnet-Plus and PATHWORKS)
2 - Configure SRI QIO Interface (INET Driver)
3 - Set up Anonymous FTP Account and Directories
4 - Configure Kerberos Applications
5 - Configure failSAFE IP
A - Configure options 1 - 5
[E] - Exit menu
Enter configuration option: 4Select #1, Add Kerberos for TELNET server, from the TCP/IP Configuration Menu:
Kerberos Applications Configuration Menu
TELNET Kerberos is not defined in the TCPIP$SERVICE database.
Configuration options:
1 - Add Kerberos for TELNET server
2 - Remove Kerberos for TELNET server
[E] - Exit menu
Enter configuration option: 1Select Exit three times to exit from the submenus of the TCP/IP Configuration Menu.
If the system asks if you want to start Telnet now, answer NO.
The following services are enabled but not started:
TELNET
Start these services now? [N] NO
You may start services individually with:
@SYS$STARTUP:TCPIP$<service>_STARTUP.COMManually start Telnet by entering the following command:
$ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed
%TCPIP-I-INFO, logical names created
%TCPIP-I-INFO, telnet service enabled
%TCPIP-I-INFO, telnet (kerberos) service enabled
%TCPIP-S-STARTDONE, TCPIP$TELNET startup completedStart Kerberos by entering the following command:
$ @SYS$STARTUP:KRB$STARTUP
Verify that the Kerberos Telnet (KTELNET) service is enabled by entering the following command. (If KTELNET is disabled, you can enable it using the $ TCPIP ENABLE SERVICE KTELNET command.)
$ TPCIP SHOW SERV
Service Port Proto Process Address State
FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled
KTELNET 2323 TCP TCPIP$TELNET 0.0.0.0 Enabled
REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled
RLOGIN 513 TCP not defined 0.0.0.0 Enabled
RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled
SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled
TELNET 23 TCP not defined 0.0.0.0 EnabledSet up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file.
$ @SYS$MANAGER:KRB$SYMBOLS
The following steps should be performed by each user who will use Kerberized Telnet.
Log into the OpenVMS system.
Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3
Username: user1
Password:Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter the following command at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS Telnet. You are then prompted for the password associated with the principal. (The -f denotes forwardable credentials.)
$ kinit -f “USER1”
password for user1@node1.hp.comEnter the TELNET/AUTH command specifying Kerberos port 2323 to start the TELNET session, as follows:
$ kinit -f “USER1”
$ TELNET/AUTH NODE1 2323
TELNET-I-TRYING, Trying ... 1.2.3.4
%TELNET-I-SESSION, Session 01, host node1, port 2323
-TELNET-I-ESCAPE, Escape character is ^]
[ Kerberos V5 accepts you as ‘‘user1.NODE1.HP.COM’’ ]Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos port 2323 to forward credentials. (Note: Forwarding credentials to non-OpenVMS servers works properly, but there is currently a problem in forwarding credentials to OpenVMS servers. This will be corrected in a future TCP/IP Services for OpenVMS ECO kit.)
$ TELNET/AUTH/FORW NODE1 2323
TELNET-I-TRYING, Trying ... 1.2.3.4
%TELNET-I-SESSION, Session 01, host node1, port 2323
-TELNET-I-ESCAPE, Escape character is ^]
[Kerberos V5 accepts you as ‘‘user1@NODE1.HP.COM’’ ]
[ Kerberos V5 refuses authentication ]If you are using Kerberized Telnet to a non-OpenVMS system, the default port of 23 should be specified. Port 2323 is only used when contacting a Kerberized Telnet server on an OpenVMS system. This is because Telnet on OpenVMS currently uses different servers for regular and Kerberized Telnet.