Using the Secure Internet Services

Users must issue a kinit (or for HP DCE clients a dce_login) command so that they get a TGT from the KDC (for example, kinit amy@realm1.com). The TGT credentials received from the kinit (or dce_login) will typically be valid for a default lifetime. The kinit(1) man page describes TGT lifetime and renewable options.

For more information, refer to the kinit(1) and dce_login(1) man pages.

Once users have obtained a TGT, they can use the Secure Internet Services throughout the time period that their TGT is valid. The lifetime of a TGT is configurable and is typically eight hours.

There are no visible differences between using the secure and non-secure versions of the Internet Services, except that users are not prompted for a password, and there are some new Kerberos-related options available.The new Kerberos-related options relate to various Kerberos concepts, including authentication, authorization and TGT forwarding. For information on these and other Kerberos concepts refer to the "Overview of the Secure Environment and the Kerberos V5 Protocol" section “Overview of the Secure Environment and the Kerberos V5 Protocol” of this chapter.

The klist command is one of the Kerberos utilities users may want to use during their secure session. This command will display their accumulated credentials. For more information, refer to the klist(1) man page.

When users are finished for the day (or secure session), they should issue the kdestroy command to remove the credentials they have accumulated during their session. These credentials are not automatically removed when they exit a shell or log out of their session. Thus, it is highly recommended that they issue this command so that any credentials they accumulated are not susceptible to misuse from intruders. For more information refer to the kdestroy(1) man page.

There is no change to the way in which the secure version of ftp handles anonymous users. However, in secure environments, it serves no purpose to authenticate or authorize an anonymous user. An anonymous user does not have a password to protect, and any data accessible through an ftp account has been made publicly available. Therefore, it does not make sense to add an anonymous user to the KDC's database. To access a secure system anonymously, use the -P option ftp provides. This approach requires that ftpd was not invoked with the -A option on the remote host.

The secure version of rlogin accesses rlogind through the new port specified by the /etc/services entry klogin when operating as a secure client. If you invoke rlogin with the -P option, or if you run a non-secure version of rlogin, then rlogin will behave as a non-secure client and access rlogind through the login port.

The secure version of remsh accesses remshd through the new port specified by the /etc/services entry kshell when operating as a secure client. If you invoke remsh with the -P option, or if you run a non-secure version of remsh, then remsh will behave as a non-secure client and access remshd through the shell port.

The secure version of rcp accesses remshd through the new port specified by the /etc/services entry kshell when operating as a secure client. If you invoke rcp with the -P option, or if you run a non-secure version of rcp, then rcp will behave as a non-secure client and access remshd through the shell port.