Configure and enable the Kerberos authentication in telnet, FTP, and r-commands on AIX V6

Learn to make use of the Kerberos authentication tickets in the day-to-day network services on IBM® AIX® V6 and discover how Kerberos can be useful in getting rid of the password hassles for network service logons. This is another method towards achieving single sign on (SSO) on an AIX system network.

Vipin Rathor (vrathor1@in.ibm.com), System Software Engineer, IBM India Software Lab

author photoVipin Rathor, in his two years with IBM India Software Lab, has been working for IBM Network Authentication Service (IBM Kerberos) Development and Support activities. He loves burning the rubber-side in his free time. He can be contacted at vrathor1@in.ibm.com.



27 May 2008

Also available in Chinese

Introduction

The network applications in AIX (for instance, telnet, FTP, and r-commands like rlogin, rsh, rcp, and more) inherently support Kerberos authentication. All the administrators need to do is to install and configure Kerberos and configure AIX system (in turn its applications) to use that Kerberos setup for authentication. The Kerberos authentication means that once you have a valid Kerberos ticket (obtained by a manual /usr/krb5/bin/kinit or integrated login), the network applications can use this ticket as your authentication token and once authenticated successfully, you will be given access without being asked to enter your password.

Basic configuration

In order to enable Kerberos authentication, some common basic configuration is required on Kerberos front as well as on the AIX systems. Let's glance through them.

Kerberos configuration

  • Make one server machine the Kerberos master KDC (Key Distribution Center). This machine will be responsible for all the Kerberos-related tasks such as generating tickets, authenticating users, and more. Here the administrator needs to install and configure IBM Network attached storage (NAS) (preferably version 1.4.0.7 or latest) as a master KDC.
  • All the other machines in your network (from where you are going to use telnet, FTP, or r-commands to log in), install, and configure IBM NAS as a client to the master KDC.
  • These are the machines where the telnet / FTP daemons are running and from the clients you will be connecting to this machine. Install and configure IBM NAS as a client to the master KDC on these machines, too.

For complete instructions on the IBM NAS server and client installation and configuration, please refer to the IBM NAS Version 1.4 Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD.

For the examples in this article, I refer to an example Kerberos environment. The Figure 1shows that enviroment and the logical flow of information.

Figure 1: An example showing Kerberized telnet in action
Diagram of a Kerberized telnet in action

The following definitions are used throughout the article:
Kerberos Administrator Name:
admin/admin

Kerberos Realm Name:
ISL.IN.IBM.COM

IBM NAS 1.4.0.7 Master KDC:
Hostname: land.in.ibm.com Port: 88
OS: AIX 5.3

IBM NAS 1.4.0.7 Administration Server:
Hostname: land.in.ibm.com Port: 749
OS: AIX 5.3

IBM NAS 1.4.0.7 Client:
Hostname: fakir.in.ibm.com
OS: AIX 6.1

Machine with telnet service running:
Hostname: fsaix005.in.ibm.com Port: 23
OS: AIX 5.3

Machine with FTP service running:
Hostname: fsaix005.in.ibm.com Port: 21
OS: AIX 5.3

Check and synchronize the time difference between all the machines; it should not be more than 5 minutes. To check the correctness of Kerberos configuration, use '/usr/krb5/bin/kinit admin/admin', followed by '/usr/krb5/bin/klist' and see if you are able to get the Kerberos ticket, and use '/usr/krb5/sbin/kadmin -p admin/admin' to check that everything (time difference and more) is correct.

AIX authentication configuration

In order to make sure that all the network applications try Kerberos authentication before the standard password-based authentication, the administrator needs to change the preference of the authentication method on all the AIX machines.

The '/usr/bin/lsauthent' command shows the current authentication mode preference.

bash-2.05b# /usr/bin/lsauthent
Standard Aix

To change the authentication mode preference, use the '/usr/bin/chauthent' command.

bash-2.05b# /usr/bin/chauthent -k5 -std

Now, '/usr/bin/lsauthent' would show something like this:

bash-2.05b# /usr/bin/lsauthent
Kerberos 5
Standard Aix

Be sure to keep the standard password-based authentication method (-std above), as a fallback authentication method, or else you will not be able to log in to the system if the proper Kerberos login is not enabled.


Configuring Kerberos for telnet service

In the Kerberos environment, each Kerberos service is represented by a service principal. This service principal is nothing but a normal Kerberos principal, who holds the key to decrypt the response sent by the Kerberos server. For telnet service as well, you will need to create a telnet service principal and perform some configuration steps on the telnet server.

Use the following step-by-step process to configure Kerberos for telnet service.

If you have already configured the Kerberos client using the AIX 'mkkrb5clnt' command, then you do not need to do steps 1 and 2. The 'mkkrb5clnt' command created a host service principal and stored it in /var/krb5/security/keytab/<hostname>.keytab file. Link this file to the default keytab file /etc/krb5/krb5.keytab.

  1. On the machine where the telnet service is running (fsaix005.in.ibm.com), create the telnet service principal by the name 'host/<FQDN_telnetd_hostname>'. For us, it will be 'host/fsaix005.in.ibm.com'.

    Using the Fully Qualified Domain Name (FQDN) is very vital for this setup to work.

    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# kadmin -p admin/admin
    Authenticating as principal admin/admin with password.
    Password for admin/admin@ISL.IN.IBM.COM:
    kadmin:  addprinc -randkey host/fsaix005.in.ibm.com
    WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM;
    defaulting to no policy. Note that policy may be overridden by
    ACL restrictions.
    Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.
  2. Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab).
    kadmin:  ktadd host/fsaix005.in.ibm.com
    Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES 
          cbc 
      mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour 
         with 
      HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 
        CTS  mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc 
         mode 
      with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 
        CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin:  q
    
    bash-2.05b#

    If you are not able to do 'kadmin' for some reason, then create the service principal on KDC and add to the keytab file (/etc/krb5/krb5.keytab) and transfer this keytab file to the machine where telnetd is running (fsaix005.in.ibm.com, for us).

  3. On the telnet service machine (fsaix005.in.ibm.com), run '/usr/krb5/bin/klist -k' and check the entries.
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/klist -k
    Keytab name:  FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- ---------
       3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
       3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
       3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
       3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
       3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
    
    bash-2.05b#
  4. On the telnet service machine (fsaix005.in.ibm.com), create a new user 'vipin' using which you will telnet to fsaix005. Change the password of this user.
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# mkuser -R files vipin
    
    bash-2.05b# passwd vipin
    Changing password for "vipin"
    vipin's New password:
    Enter the new password again:
    
    bash-2.05b#
  5. Create a Kerberos principal with the same name 'vipin'. This can be done from any machine (either the master KDC or client) in the Kerberos realm.
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# kadmin -p admin/admin
    Authenticating as principal admin/admin with password.
    Password for admin/admin@ISL.IN.IBM.COM:
    kadmin:  ank -pw vipin vipin
    WARNING: no policy specified for vipin@ISL.IN.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Principal "vipin@ISL.IN.IBM.COM" created.
    kadmin:  q
    
    bash-2.05b#
  6. Go to the any other client machine (fakir.in.ibm.com) on which the Kerberos client is configured. Run '/usr/krb5/bin/kinit vipin' to get the initial Kerberos ticket, as shown below:
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/kinit vipin
    Password for vipin@ISL.IN.IBM.COM:
    
    bash-2.05b# /usr/krb5/bin/klist
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  vipin@ISL.IN.IBM.COM
    
    Valid starting     Expires            Service principal
    02/16/08 04:31:41  02/17/08 04:31:39  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
    
    bash-2.05b#
  7. Try to telnet to the telnetd machine (fsaix005.in.ibm.com). If everything goes fine, you will not be asked to enter the password and you will be logged in as user "vipin".
    Here is how:
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# telnet -l vipin fsaix005.in.ibm.com
    Trying...
    Connected to fsaix005.in.ibm.com.
    Escape character is '^]'.
    [ Kerberos V5 accepts you as ``vipin@ISL.IN.IBM.COM'' ]
    
    
    telnet (fsaix005.in.ibm.com)
    
    *******************************************************************************
    *                                                                             *
    *                                                                             *
    *  Welcome to AIX Version 5.3!                                                *
    *                                                                             *
    *                                                                             *
    *  Please see the README file in /usr/lpp/bos for information pertinent to    *
    *  this release of the AIX Operating System.                                  *
    *                                                                             *
    *                                                                             *
    *******************************************************************************
    Last unsuccessful login: Wed Feb 13 11:50:40 CST 2008 on /dev/pts/2 from 
         land.in.ibm.com
    Last login: Fri Feb 15 12:49:06 CST 2008 on /dev/pts/3 from aixdce8.in.ibm.com
    
    $ hostname
    fsaix005.in.ibm.com
    
    $ id
    uid=237(vipin) gid=1(staff)
    
    $ exit
    Connection closed
    
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b#

    That’s all it takes to do the kerberized telnet! Please note the additional option (in the highlighted text above) while issuing the telnet command.

    If you want to check whether you actually got the ticket for the telnet service principal or not, run ‘/usr/krb5/bin/klist’ on the client and see the output. You should see something like this:

    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/klist
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  vipin@ISL.IN.IBM.COM
    
    Valid starting     Expires            Service principal
    02/16/08 04:31:41  02/17/08 04:31:39  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
    02/16/08 04:32:56  02/17/08 04:31:39  host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
    
    bash-2.05b#

Configuring Kerberos for FTP service

Similar to telnet service, you can also configure FTP service to accept and use Kerberos authentication. Use the following step-by-step procedure to achieve this:

  1. Create an FTP service principal. This time the name of FTP service principal would be ‘ftp/<FQDN_ftpd_hostname>’. So for us, it will be something like ‘ftp/fsaix005.in.ibm.com’. Create the principal:
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# kadmin -p admin/admin
    Authenticating as principal admin/admin with password.
    Password for admin/admin@ISL.IN.IBM.COM:
    kadmin:  ank -randkey ftp/fsaix005.in.ibm.com
    WARNING: no policy specified for ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Principal "ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.
  2. Now add this principal entry to the keytab file (/etc/krb5/krb5.keytab).
    kadmin:  ktadd ftp/fsaix005.in.ibm.com
    Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES 
        cbc
      mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour 
        with 
      HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS 
        mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type DES 
        cbc mode with
      RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS 
        mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin:  q
    
    bash-2.05b#
  3. On the FTP service machine (fsaix005.in.ibm.com), run '/usr/krb5/bin/klist -k' and check the entries in the keytab file. This time it should look something like this:
              bash-2.05b# hostname
              fsaix005.in.ibm.com
    
              bash-2.05b# /usr/krb5/bin/klist -k
              Keytab name:  FILE:/etc/krb5/krb5.keytab
              KVNO Principal
              ---- ---------
              3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
              3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
    
              bash-2.05b#
  4. The next step is to get the initial Kerberos ticket. Since we already have a Kerberos user called 'vipin', we will be using this principal to get the initial Kerberos ticket by using the '/usr/krb5/bin/kinit' command.
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/kinit vipin
    Password for vipin@ISL.IN.IBM.COM:
    
    bash-2.05b# /usr/krb5/bin/klist
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  vipin@ISL.IN.IBM.COM
    
    Valid starting     Expires            Service principal
    02/16/08 04:47:46  02/17/08 04:47:45  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
    
    bash-2.05b#
  5. Once we have a valid ticket, we are all set now to do the kerberized FTP.

    Click to see code listing

    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# ftp fsaix005.in.ibm.com
    Connected to fsaix005.in.ibm.com.
    220 fsaix005.in.ibm.com FTP server (Version 4.2 Sat Jun 16 07:20:05 CDT 2007) ready.
    334 Using authentication type GSSAPI; ADAT must followGSSAPI accepted as authentication typeGSSAPI authentication succeeded
    Name (fsaix005.in.ibm.com:root): vipin
    232 GSSAPI user vipin@ISL.IN.IBM.COM is authorized as vipin
    ftp>
    ftp> bye
    221 Goodbye.
    
    bash-2.05b#

    To cross-check the kerberized FTP success, you can close the FTP session and do ‘/usr/krb5/bin/klist’ to see the additional ticket of our FTP service principal.

    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/klist
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  vipin@ISL.IN.IBM.COM
    
    Valid starting     Expires            Service principal
    02/16/08 04:47:46  02/17/08 04:47:45  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
    02/16/08 04:49:20  02/17/08 04:49:19  ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
    
    bash-2.05b#

Configuring Kerberos for r-commands

The AIX r-commands (such as rlogin, rsh, and rcp) also support Kerberos authentication. We are going to take a look at how these commands can make use of a Kerberos ticket to allow us to do our stuff seamlessly.

The Kerberos service principal for all r-commands is going to be 'host/<FQDN_service_hostname>' again, which is the same as the telnet service principal. So, if you have configured the kerberized telnet authentication, then you do not need to do any more configuration steps. Just get the initial Kerberos ticket and fire the r-commands. For example:

Example showing Kerberos authentication in 'rlogin’

bash-2.05b# hostname
fakir.in.ibm.com

bash-2.05b# /usr/krb5/bin/kinit vipin
Password for vipin@ISL.IN.IBM.COM:

bash-2.05b# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  vipin@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
04/21/08 08:54:26  04/22/08 08:54:25  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM

bash-2.05b# rlogin fsaix005.in.ibm.com -l vipin
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101
Last login: Mon Apr 21 08:01:29 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com

$ hostname
fsaix005.in.ibm.com
$ exit
Connection closed.

bash-2.05b# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  vipin@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
04/21/08 08:54:26  04/22/08 08:54:25  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
04/21/08 08:54:49  04/22/08 08:54:25  host/fsaix005.in.ibm.com@ISL.IN.IBM.COM

bash-2.05b#

Example showing Kerberos authentication in 'rsh’

We can also do the Kerberos authentication in ‘rsh’ the same way as the rlogin.

bash-2.05b# hostname
fakir.in.ibm.com

bash-2.05b# /usr/krb5/bin/kinit vipin
Password for vipin@ISL.IN.IBM.COM:

bash-2.05b# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  vipin@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
04/21/08 08:58:08  04/22/08 08:58:39  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM

bash-2.05b# rsh fsaix005.in.ibm.com -l vipin
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101
Last login: Mon Apr 21 08:54:58 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com

$ hostname
fsaix005.in.ibm.com
$ exit
Connection closed.

bash-2.05b# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  vipin@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
04/21/08 08:58:08  04/22/08 08:58:39  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
04/21/08 08:58:33  04/22/08 08:58:39  host/fsaix005.in.ibm.com@ISL.IN.IBM.COM

Example showing Kerberos authentication in 'rcp’

This example copies a file from one machine (fakir.in.ibm.com) to another remote machine (fsaix005.in.ibm.com) using a Kerberos authentication.

  1. Here is the file on fakir.in.ibm.com that we want to transfer:
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# ls -l /home/vipin/progs/try.c
    -rw-r--r--    1 root     system          200 Feb 14 03:55 home/vipin/progs/try.c
    
    bash-2.05b#
  2. Copy this file to fsaix005.in.ibm.com at the /home/vipin directory. The current contents of /home/vipin on fsaix005.in.ibm.com are:
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# ls -l /home/vipin/t*
    ls: 0653-341 The file /home/vipin/t* does not exist.
    
    bash-2.05b#
  3. Run the Kerberos authentication and get the initial Kerberos ticket on fakir.in.ibm.com.
    bash-2.05b# hostname
    fakir.in.ibm.com
    
    bash-2.05b# /usr/krb5/bin/kinit vipin
    Password for vipin@ISL.IN.IBM.COM:
    
    bash-2.05b# /usr/krb5/bin/klist
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  vipin@ISL.IN.IBM.COM
    
    Valid starting     Expires            Service principal
    04/21/08 09:20:13  04/22/08 09:20:45  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
    
    bash-2.05b#
  4. Once we have a valid ticket, we can run the ‘rcp’ command:
    bash-2.05b# rcp /home/vipin/progs/try.c vipin@fsaix005.in.ibm.com:/home/vipin
    
    bash-2.05b#

    Please pay attention to how we pass the user name for fsaix005.in.ibm.com. We also passing the destination directory on fsaix005.in.ibm.com. It’s important to remember that the destination directory needs to be writable by the user.

  5. And on fsaix005.in.ibm.com, we can cross-check the file copy operation like this:
    bash-2.05b# hostname
    fsaix005.in.ibm.com
    
    bash-2.05b# ls -l /home/vipin/t*
    -rw-r--r--   1 vipin    staff           200 Apr 21 09:21 /home/vipin/try.c
    
    bash-2.05b#

    Note the user ACLs of the newly copied file.


Commonly encountered kerberized telnet errors and mistakes

ErrorSolution
Kerberos V5 refuses authentication because admin/admin@ISL.IN.IBM.COM is not authorized to log in to the specified account.The initial Kerberos ticket was created using 'admin/admin,' not your normal username ('vipin,' in this example). Run '/usr/krb5/bin/kdestroy' to destroy the earlier Kerberos ticket and use '/usr/krb5/bin/kinit <username>' to get the correct ticket and retry.
Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed.There is a mismatch in the key version number of the service principal. Delete the service principal (using 'delprinc' kadmin command'), and remove it from the keytab file (using 'ktrem' kadmin command). Again re-create a fresh service principal and add it to the keytab file and retry.
Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Generic RC I/O error.On the telnet server, create a directory called "/var/tmp" if it is not already present. This should solve the problem.

Conclusion

This article demonstrated how to make use of the Kerberos authentication mechanism in the AIX network applications like telnet, FTP, and r-commands, which have support for Kerberos.

Resources

Learn

Get products and technologies

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=310553
ArticleTitle=Configure and enable the Kerberos authentication in telnet, FTP, and r-commands on AIX V6
publish-date=05272008