HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos

  Table of Contents

  Glossary

  Index

Using Kerberos with TCP/IP KTELNET for OpenVMS, you can authenticate your Telnet connections between OpenVMS systems.

The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized Telnet is Version 5.3. If you are using a version of TCP/IP Services for OpenVMS prior to Version 5.5, you must download the Kerberized Telnet client (TCPIP$TELNET.EXE) and server (TCPIP$TELNET_SERVER.EXE) kits from http://h71000.www7.hp.com/openvms/products/kerberos/

NOTE: If you download the Telnet client and server, you must copy TCPIP$TELNET.EXE and TCPIP$TELNET_SERVER.EXE to SYS$COMMON:[SYSEXE].

You do not need to run these files directly. They are executed when you first run Telnet after following the instructions below.

To "Kerberize" your Telnet connections, perform the following steps.

  1. Install and configure TCP/IP for OpenVMS Services Version 5.3 or higher.

  2. Install and configure Kerberos for OpenVMS. If you have already installed OpenVMS Version 7.3-2 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/

  3. Shut down Kerberos, if it is running, by entering the following command:

    $ SYS$STARTUP:KRB$SHUTDOWN
  4. Configure TCP/IP Services for OpenVMS by entering the following command:

    $ @SYS$STARTUP:TCPIP$CONFIG
  5. Select #2, Client components, from the TCP/IP Configuration Menu:

         HP TCP/IP Services for OpenVMS Configuration Menu

    Configuration options:

    1 - Core environment
    2 - Client components
    3 - Server components
    4 - Optional components

    5 - Shutdown HP TCP/IP Services for OpenVMS
    6 - Startup HP TCP/IP Services for OpenVMS
    7 - Run tests

    A - Configure options 1 - 4
    [E] - Exit configuration procedure

    Enter configuration option: 2
  6. Ensure that the Telnet service is stopped. If Telnet is already stopped, skip to step 8. If Telnet is not currently stopped, select #8, Telnet, from the TCP/IP Configuration Menu:

         HP TCP/IP Services for OpenVMS Client Components Configuration Menu

    Configuration options:

    1 - DHCP Client Disabled Stopped
    2 - FTP Client Enabled Started
    3 - NFS Client Disabled Stopped
    4 - REXEC and RSH Enabled Started
    5 - RLOGIN Enabled Started
    6 - SMTP Disabled Stopped
    7 - SSH Client Enabled Started
    8 - TELNET Enabled Started
    9 - TELNETSYM Disabled Stopped

    A - Configure options 1 - 9
    [E] - Exit menu

    Enter configuration option: 8
    NOTE: You must stop the Telnet service before you can begin to configure Kerberized Telnet. Stopping the Telnet service disconnects current Telnet sessions.
  7. Select #3, Stop service on this node, from the TCP/IP Configuration Menu:

         TELNET configuration options:

    1 - Enable service on all nodes
    2 - Enable service on this node

    3 - Stop service on this node

    [E] - Exit TELNET configuration

    Enter configuration option: 3
  8. Select [E], Exit menu, from the TCP/IP Configuration Menu:

         Configuration options:

    1 - DHCP Client Disabled Stopped
    2 - FTP Client Enabled Started
    3 - NFS Client Disabled Stopped
    4 - REXEC and RSH Enabled Started
    5 - RLOGIN Enabled Started
    6 - SMTP Disabled Stopped
    7 - SSH Client Enabled Started
    8 - TELNET Enabled Stopped
    9 - TELNETSYM Disabled Stopped

    A - Configure options 1 - 9
    [E] - Exit menu

    Enter configuration option: E
  9. Select #4, Optional components, from the TCP/IP Configuration Menu:

          HP TCP/IP Services for OpenVMS Configuration Menu

    Configuration options:

    1 - Core environment
    2 - Client components
    3 - Server components
    4 - Optional components

    5 - Shutdown HP TCP/IP Services for OpenVMS
    6 - Startup HP TCP/IP Services for OpenVMS
    7 - Run tests

    A - Configure options 1 - 4
    [E] - Exit configuration procedure

    Enter configuration option: 4
  10. Select #4, Configure Kerberos Applications, from the TCP/IP Configuration Menu:

          HP TCP/IP Services for OpenVMS Optional Components Configuration Menu

    Configuration options:

    1 - Configure PWIP Driver (for DECnet-Plus and PATHWORKS)
    2 - Configure SRI QIO Interface (INET Driver)
    3 - Set up Anonymous FTP Account and Directories
    4 - Configure Kerberos Applications
    5 - Configure failSAFE IP

    A - Configure options 1 - 5
    [E] - Exit menu

    Enter configuration option: 4
  11. Select #1, Add Kerberos for TELNET server, from the TCP/IP Configuration Menu:

          Kerberos Applications Configuration Menu

    TELNET Kerberos is not defined in the TCPIP$SERVICE database.

    Configuration options:

    1 - Add Kerberos for TELNET server
    2 - Remove Kerberos for TELNET server

    [E] - Exit menu

    Enter configuration option: 1
  12. Select Exit three times to exit from the submenus of the TCP/IP Configuration Menu.

  13. If the system asks if you want to start Telnet now, answer NO.

             The following services are enabled but not started:

    TELNET

    Start these services now? [N] NO

    You may start services individually with:

    @SYS$STARTUP:TCPIP$<service>_STARTUP.COM
  14. Manually start Telnet by entering the following command:

          $ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM

    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed
    %TCPIP-I-INFO, logical names created
    %TCPIP-I-INFO, telnet service enabled
    %TCPIP-I-INFO, telnet (kerberos) service enabled
    %TCPIP-S-STARTDONE, TCPIP$TELNET startup completed
  15. Start Kerberos by entering the following command:

         $ @SYS$STARTUP:KRB$STARTUP
  16. Verify that the Kerberos Telnet (KTELNET) service is enabled by entering the following command. (If KTELNET is disabled, you can enable it using the $ TCPIP ENABLE SERVICE KTELNET command.)

          $ TPCIP SHOW SERV

    Service Port Proto Process Address State

    FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled
    KTELNET 2323 TCP TCPIP$TELNET 0.0.0.0 Enabled
    REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled
    RLOGIN 513 TCP not defined 0.0.0.0 Enabled
    RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled
    SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled
    TELNET 23 TCP not defined 0.0.0.0 Enabled
  17. Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file.

         $ @SYS$MANAGER:KRB$SYMBOLS

The following steps should be performed by each user who will use Kerberized Telnet.

  1. Log into the OpenVMS system.

           Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3

    Username: user1
    Password:
  2. Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter the following command at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS Telnet. You are then prompted for the password associated with the principal. (The -f denotes forwardable credentials.)

           $ kinit -f “USER1”
    password for user1@node1.hp.com
  3. Enter the TELNET/AUTH command specifying Kerberos port 2323 to start the TELNET session, as follows:

           $ kinit -f “USER1”
    $ TELNET/AUTH NODE1 2323
    TELNET-I-TRYING, Trying ... 1.2.3.4
    %TELNET-I-SESSION, Session 01, host node1, port 2323
    -TELNET-I-ESCAPE, Escape character is ^]
    [ Kerberos V5 accepts you as ‘‘user1.NODE1.HP.COM’’ ]
  4. Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos port 2323 to forward credentials. (Note: Forwarding credentials to non-OpenVMS servers works properly, but there is currently a problem in forwarding credentials to OpenVMS servers. This will be corrected in a future TCP/IP Services for OpenVMS ECO kit.)

           $ TELNET/AUTH/FORW NODE1 2323
    TELNET-I-TRYING, Trying ... 1.2.3.4
    %TELNET-I-SESSION, Session 01, host node1, port 2323
    -TELNET-I-ESCAPE, Escape character is ^]
    [Kerberos V5 accepts you as ‘‘user1@NODE1.HP.COM’’ ]
    [ Kerberos V5 refuses authentication ]
  5. If you are using Kerberized Telnet to a non-OpenVMS system, the default port of 23 should be specified. Port 2323 is only used when contacting a Kerberized Telnet server on an OpenVMS system. This is because Telnet on OpenVMS currently uses different servers for regular and Kerberized Telnet.