The network applications in AIX (for instance, telnet, FTP, and r-commands like rlogin, rsh,
rcp, and more) inherently support Kerberos authentication. All the administrators need
to do is to install and configure Kerberos and configure AIX system (in turn its applications) to use that Kerberos setup for authentication.
The Kerberos authentication means that once you have a valid Kerberos ticket
(obtained by a manual /usr/krb5/bin/kinit or integrated
login), the network applications can use this ticket as your authentication
token and once authenticated successfully, you will be given access without
being asked to enter your password.
In order to enable Kerberos authentication, some common basic configuration is required on Kerberos front as well as on the AIX systems. Let's glance through them.
- Make one server machine the Kerberos master KDC (Key Distribution Center). This machine will be responsible for all the Kerberos-related tasks such as generating tickets, authenticating users, and more. Here the administrator needs to install and configure IBM Network attached storage (NAS) (preferably version 1.4.0.7 or latest) as a master KDC.
- All the other machines in your network (from where you are going to use telnet, FTP, or r-commands to log in), install, and configure IBM NAS as a client to the master KDC.
- These are the machines where the telnet / FTP daemons are running and from the clients you will be connecting to this machine. Install and configure IBM NAS as a client to the master KDC on these machines, too.
For complete instructions on the IBM NAS server and client installation and configuration, please refer to the IBM NAS Version 1.4 Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD.
For the examples in this article, I refer to an example Kerberos environment. The Figure 1shows that enviroment and the logical flow of information.
Figure 1: An example showing Kerberized telnet in action
The following definitions are used throughout the article:
Kerberos Administrator Name:
admin/admin
Kerberos Realm Name:
ISL.IN.IBM.COM
IBM NAS 1.4.0.7 Master KDC:
Hostname: land.in.ibm.com Port: 88
OS: AIX 5.3
IBM NAS 1.4.0.7 Administration Server:
Hostname: land.in.ibm.com Port: 749
OS: AIX 5.3
IBM NAS 1.4.0.7 Client:
Hostname: fakir.in.ibm.com
OS: AIX 6.1
Machine with telnet service running:
Hostname: fsaix005.in.ibm.com Port: 23
OS: AIX 5.3
Machine with FTP service running:
Hostname: fsaix005.in.ibm.com Port: 21
OS: AIX 5.3
Check and synchronize the time difference between all the machines; it should not
be more than 5 minutes. To check the correctness of Kerberos configuration, use
'/usr/krb5/bin/kinit admin/admin', followed by '/usr/krb5/bin/klist' and see if you are able to get the Kerberos
ticket, and use '/usr/krb5/sbin/kadmin -p
admin/admin' to check that everything (time difference and more) is correct.
AIX authentication configuration
In order to make sure that all the network applications try Kerberos authentication before the standard password-based authentication, the administrator needs to change the preference of the authentication method on all the AIX machines.
The '/usr/bin/lsauthent' command shows the current authentication mode preference.
bash-2.05b# /usr/bin/lsauthent
Standard Aix
|
To change the authentication mode preference, use the '/usr/bin/chauthent' command.
bash-2.05b# /usr/bin/chauthent -k5 -std
|
Now, '/usr/bin/lsauthent' would show something like this:
bash-2.05b# /usr/bin/lsauthent
Kerberos 5
Standard Aix
|
Be sure to keep the standard password-based authentication method (-std above), as a fallback authentication method, or else you will not be able to log in to the system if the proper Kerberos login is not enabled.
Configuring Kerberos for telnet service
In the Kerberos environment, each Kerberos service is represented by a service principal. This service principal is nothing but a normal Kerberos principal, who holds the key to decrypt the response sent by the Kerberos server. For telnet service as well, you will need to create a telnet service principal and perform some configuration steps on the telnet server.
Use the following step-by-step process to configure Kerberos for telnet service.
If you have already configured the Kerberos client using the AIX 'mkkrb5clnt' command, then you do not need to do steps 1 and 2. The
'mkkrb5clnt' command created a host service principal
and stored it in /var/krb5/security/keytab/<hostname>.keytab file. Link this
file to the default keytab file /etc/krb5/krb5.keytab.
- On the machine where the telnet service is running (fsaix005.in.ibm.com), create the telnet service principal by the name 'host/<FQDN_telnetd_hostname>'. For us, it will be 'host/fsaix005.in.ibm.com'.
Using the Fully Qualified Domain Name (FQDN) is very vital for this setup to work.
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: addprinc -randkey host/fsaix005.in.ibm.com WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created. - Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab).
kadmin: ktadd host/fsaix005.in.ibm.com Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: q bash-2.05b#If you are not able to do 'kadmin' for some reason, then create the service principal on KDC and add to the keytab file (/etc/krb5/krb5.keytab) and transfer this keytab file to the machine where telnetd is running (fsaix005.in.ibm.com, for us).
- On the telnet service machine (fsaix005.in.ibm.com), run
'/usr/krb5/bin/klist -k'and check the entries.bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# /usr/krb5/bin/klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------- 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b# - On the telnet service machine (fsaix005.in.ibm.com), create a new user 'vipin'
using which you will telnet to fsaix005. Change the password of this user.
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# mkuser -R files vipin bash-2.05b# passwd vipin Changing password for "vipin" vipin's New password: Enter the new password again: bash-2.05b# - Create a Kerberos principal with the same name 'vipin'. This can be done from
any machine (either the master KDC or client) in the Kerberos realm.
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: ank -pw vipin vipin WARNING: no policy specified for vipin@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "vipin@ISL.IN.IBM.COM" created. kadmin: q bash-2.05b# - Go to the any other client machine (fakir.in.ibm.com) on which the Kerberos
client is configured. Run
'/usr/krb5/bin/kinit vipin'to get the initial Kerberos ticket, as shown below:bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# - Try to telnet to the telnetd machine (fsaix005.in.ibm.com). If everything
goes fine, you will not be asked to enter the password and you will be logged in as user "vipin".
Here is how:bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# telnet -l vipin fsaix005.in.ibm.com Trying... Connected to fsaix005.in.ibm.com. Escape character is '^]'. [ Kerberos V5 accepts you as ``vipin@ISL.IN.IBM.COM'' ] telnet (fsaix005.in.ibm.com) ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* Last unsuccessful login: Wed Feb 13 11:50:40 CST 2008 on /dev/pts/2 from land.in.ibm.com Last login: Fri Feb 15 12:49:06 CST 2008 on /dev/pts/3 from aixdce8.in.ibm.com $ hostname fsaix005.in.ibm.com $ id uid=237(vipin) gid=1(staff) $ exit Connection closed bash-2.05b# hostname fakir.in.ibm.com bash-2.05b#That’s all it takes to do the kerberized telnet! Please note the additional option (in the highlighted text above) while issuing the telnet command.
If you want to check whether you actually got the ticket for the telnet service principal or not, run
‘/usr/krb5/bin/klist’on the client and see the output. You should see something like this:bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 02/16/08 04:32:56 02/17/08 04:31:39 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#
Configuring Kerberos for FTP service
Similar to telnet service, you can also configure FTP service to accept and use Kerberos authentication. Use the following step-by-step procedure to achieve this:
- Create an FTP service principal. This time the name of FTP service principal
would be ‘ftp/<FQDN_ftpd_hostname>’. So for us, it will be something
like ‘ftp/fsaix005.in.ibm.com’. Create the principal:
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: ank -randkey ftp/fsaix005.in.ibm.com WARNING: no policy specified for ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created. - Now add this principal entry to the keytab file (/etc/krb5/krb5.keytab).
kadmin: ktadd ftp/fsaix005.in.ibm.com Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: q bash-2.05b# - On the FTP service machine (fsaix005.in.ibm.com), run
'/usr/krb5/bin/klist -k'and check the entries in the keytab file. This time it should look something like this:bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# /usr/krb5/bin/klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------- 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b# - The next step is to get the initial Kerberos ticket. Since we already have a
Kerberos user called 'vipin', we will be using this principal to get the
initial Kerberos ticket by using the
'/usr/krb5/bin/kinit'command.bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:47:46 02/17/08 04:47:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# - Once we have a valid ticket, we are all set now to do the kerberized FTP.
bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# ftp fsaix005.in.ibm.com Connected to fsaix005.in.ibm.com. 220 fsaix005.in.ibm.com FTP server (Version 4.2 Sat Jun 16 07:20:05 CDT 2007) ready. 334 Using authentication type GSSAPI; ADAT must followGSSAPI accepted as authentication typeGSSAPI authentication succeeded Name (fsaix005.in.ibm.com:root): vipin 232 GSSAPI user vipin@ISL.IN.IBM.COM is authorized as vipin ftp> ftp> bye 221 Goodbye. bash-2.05b#To cross-check the kerberized FTP success, you can close the FTP session and do
‘/usr/krb5/bin/klist’to see the additional ticket of our FTP service principal.bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:47:46 02/17/08 04:47:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 02/16/08 04:49:20 02/17/08 04:49:19 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#
Configuring Kerberos for r-commands
The AIX r-commands (such as rlogin, rsh, and rcp) also support Kerberos authentication. We are going to take a look at how these commands can make use of a Kerberos ticket to allow us to do our stuff seamlessly.
The Kerberos service principal for all r-commands is going to be 'host/<FQDN_service_hostname>' again, which is the same as the telnet service principal. So, if you have configured the kerberized telnet authentication, then you do not need to do any more configuration steps. Just get the initial Kerberos ticket and fire the r-commands. For example:
Example showing Kerberos authentication in 'rlogin’
bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit vipin
Password for vipin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: vipin@ISL.IN.IBM.COM
Valid starting Expires Service principal
04/21/08 08:54:26 04/22/08 08:54:25 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
bash-2.05b# rlogin fsaix005.in.ibm.com -l vipin
*******************************************************************************
* *
* *
* Welcome to AIX Version 5.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101
Last login: Mon Apr 21 08:01:29 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com
$ hostname
fsaix005.in.ibm.com
$ exit
Connection closed.
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: vipin@ISL.IN.IBM.COM
Valid starting Expires Service principal
04/21/08 08:54:26 04/22/08 08:54:25 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
04/21/08 08:54:49 04/22/08 08:54:25 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
bash-2.05b#
|
Example showing Kerberos authentication in 'rsh’
We can also do the Kerberos authentication in ‘rsh’ the same way as the rlogin.
bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:58:08 04/22/08 08:58:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# rsh fsaix005.in.ibm.com -l vipin ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101 Last login: Mon Apr 21 08:54:58 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com $ hostname fsaix005.in.ibm.com $ exit Connection closed. bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:58:08 04/22/08 08:58:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 04/21/08 08:58:33 04/22/08 08:58:39 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM |
Example showing Kerberos authentication in 'rcp’
This example copies a file from one machine (fakir.in.ibm.com) to another remote machine (fsaix005.in.ibm.com) using a Kerberos authentication.
- Here is the file on fakir.in.ibm.com that we want to transfer:
bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# ls -l /home/vipin/progs/try.c -rw-r--r-- 1 root system 200 Feb 14 03:55 home/vipin/progs/try.c bash-2.05b# - Copy this file to fsaix005.in.ibm.com at the /home/vipin directory. The
current contents of /home/vipin on fsaix005.in.ibm.com are:
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# ls -l /home/vipin/t* ls: 0653-341 The file /home/vipin/t* does not exist. bash-2.05b# - Run the Kerberos authentication and get the initial Kerberos ticket on fakir.in.ibm.com.
bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 09:20:13 04/22/08 09:20:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# - Once we have a valid ticket, we can run the ‘rcp’ command:
bash-2.05b# rcp /home/vipin/progs/try.c vipin@fsaix005.in.ibm.com:/home/vipin bash-2.05b#Please pay attention to how we pass the user name for fsaix005.in.ibm.com. We also passing the destination directory on fsaix005.in.ibm.com. It’s important to remember that the destination directory needs to be writable by the user.
- And on fsaix005.in.ibm.com, we can cross-check the file copy operation like this:
bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# ls -l /home/vipin/t* -rw-r--r-- 1 vipin staff 200 Apr 21 09:21 /home/vipin/try.c bash-2.05b#Note the user ACLs of the newly copied file.
Commonly encountered kerberized telnet errors and mistakes
| Error | Solution |
|---|---|
| Kerberos V5 refuses authentication because admin/admin@ISL.IN.IBM.COM is not authorized to log in to the specified account. | The initial Kerberos ticket was created using 'admin/admin,' not your
normal username ('vipin,' in this example). Run '/usr/krb5/bin/kdestroy' to destroy the earlier Kerberos ticket and
use '/usr/krb5/bin/kinit <username>' to get the correct ticket and retry. |
| Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed. | There is a mismatch in the key version number of the service principal. Delete
the service principal (using 'delprinc' kadmin
command'), and remove it from the keytab file (using 'ktrem' kadmin command). Again re-create a fresh service principal
and add it to the keytab file and retry. |
| Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Generic RC I/O error. | On the telnet server, create a directory called "/var/tmp" if it is not already present. This should solve the problem. |
This article demonstrated how to make use of the Kerberos authentication mechanism in the AIX network applications like telnet, FTP, and r-commands, which have support for Kerberos.
Learn
- Configuring AIX 5L for Kerberos Based Authentication Using IBM Network Authentication Service: Read this white paper to learn about using Kerberos as an alternative authentication mechanism to AIX.
- A Kerberos Primer (developerWorks, Nov 2001): This article introduces Kerberos technology and Distributed Computing Environment-based applications.
- AIX and UNIX : Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
- developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Get products and technologies
- IBM Network Authentication Service for AIX: Download the IBM Network Authentication Service for AIX from IBM AIX Web Download Pack Programs.
- IBM Network Authentication Service for Linux,Solaris: Download the IBM Network Authentication Service for Linux,Solaris from here.
- IBM GUI-based Administration Tool for Network Authentication Service: Experience the GUI to perform the IBM NAS related administration tasks. Download from the IBM alphaWorks today.
- AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
Comments (Undergoing maintenance)
Table of contents
Local resources
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
