Network security concerns are becoming increasingly important to the
computer system user. The purpose of the Secure Internet Services is to
allow the user greater security when running these services.
When an Internet Services client connects to the server daemon, the server
daemon requests authentication. The Secure Internet Services authenticate,
or in other words validate, the identity of the client and server to each other
in a secure way. Also, with the Secure Internet Services, users are authorized
to access an account on a remote system by the transmission of encrypted
tickets rather than by using the traditional password mechanism. The
traditional password mechanism, used with non-secure Internet Services,
sends the password in a readable form (unencrypted) over the network. This
creates a security risk from intruders who may be listening over the network.
The Secure Internet Services are meant as replacements for their non-secure
counterparts. The main benefit of running the Secure Internet Services is that
user authorization no longer requires transmitting a password in a readable
form over the network. Authorization is the process in which servers verify
what access remote users should have on the local system.
The Secure Internet Services may only be used in conjunction with software
products that provide a Kerberos V5 Network Authentication Services
environment (for example, the HP DCE Security Server). The network
authentication mechanism ensures that the local and remote hosts are
mutually identified to each other in a secure and trusted manner and that the
user is authorized to access the remote account.
For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5
authentication involves sending encrypted tickets instead of a readable
password over the network to verify and identify the user. Although rcp/remshd, and remsh/remshd (used with a command), do not prompt
for a password, the secure versions of these services ensure that the user is
authorized to access the remote account. (If remsh is used with no
command specified, rlogin/rlogind is invoked.)
If any of the Secure Internet Services are installed in an environment where
some of the remote systems on the network are running non-secure versions
of the Internet Services, you can use a special command line option to
bypass Kerberos authentication to access those remote systems. However, if
a password is required to access the system, the password is sent in a
readable form over the network.
 |
| |
|
 | CAUTION: None of the Secure Internet Services encrypts the session beyond what is necessary
to authorize the user or authenticate the service. Thus, these services do not provide
integrity-checking or encryption services on the data or on remote sessions. |
|
| |
|
Printable version
