This developerWorks article is a very basic primer of Kerberos and a good place to start. For additional and the latest information on the Kerberos protocol, visit the Massachusetts Institute of Technology website on Kerberos: The Network Authentication Protocol (see Resources).
IBM Network Authentication Service for AIX is the IBM flavor of Kerberos shipped with the AIX Expansion Pack CD and is available with the IBM AIX Web Download Pack (see Resources). This section lists articles that describe different server features, configuration methods, policy management, backup management, and administration insights on IBM Network Authentication Service for AIX.
Learn how to set up a Key Distribution Center (KDC) to use Advanced Encryption Standard (AES) encryption to secure tickets. Developers use KDC in systems to control the permission for users to access certain services. The KDC uses tickets as a means to flag permission for accessing a particular service, or for authenticating users and providers of services.
Implement effective ways to configure IBM NAS with Lightweight Directory Access Protocol (LDAP) on AIX to get the maximum reliability and scalability in your Kerberos environment. This article shows you different ways of setting up the dynamic, yet consistent, Kerberos environment.
Use IBM NAS for AIX to learn about the Kerberos policy management for passwords, and get acquainted with anything and everything about IBM NAS policy. Also examine complete commands, examples, and scenarios to assist you in using the kerberos password policy to its fullest.
In a Kerberos environment, protecting principals' passwords is imperative to preserve the system security. Learn how Kerberos administrators can take advantage of the password protection and password strength enhancement features provided by IBM NAS for AIX.
This article provides step-by-step procedures of how to enable and make use of non-default encryption type such as "aes128-cts" in the Kerberos setup (IBM NAS). It also explains the reasoning behind every action taken in this regard. The explanation and reasoning will help Kerberos administrators make use of any other non-default encryption types in their Kerberos setups.
Become an expert administrator of a reliable Kerberos environment with high-availability involving multiple Kerberos master-slave Key Distribution Centers (KDC) on IBM AIX and many clients. In this article, part 1 of three-part series, learn how to configure and manage the basic master-slave KDC setup. Part 2 will cover how to update the slave KDC to the master KDC. Part 3 will educate how to configure the master-slave KDC with LDAP as the back end for storing Kerberos data.
Be an expert administrator of a reliable Kerberos environment with high availability, involving multiple Kerberos master-slave Key Distribution Centers (KDC) on AIX and many clients. Part 2 of this series covers how to upgrade the slave KDC to perform as a master KDC. Part 1 covered how to configure and manage the basic master-slave KDC setup, and Part 3 will educate how to configure the master-slave KDC with LDAP as the back end for storing Kerberos data.
Security is an important aspect of the IBM AIX operating system. Follow along with this quick reference guide on AIX security commands to learn more.
Learn how to back up your important Kerberos data as a part of your business continuity plan and other backup processes. In the Kerberos production environment, taking a regular and proper backup of Kerberos data is vital to ensure 24x7 reliable and consistent support to the users. This article educates the Kerberos administrators on what data to consider for backup plan.
Kerberos is a third-party authentication system that originated at MIT as part of Project Athena. This document describes the use of Kerberos as an alternative authentication mechanism to AIX . The loadable identification and authentication framework of AIX naturally lends itself to the use of Kerberos. Kerberos technology combined with LDAP user/group management provides a robust, centralized, and scalable authentication and identification mechanism for AIX.
Get an overview of the LDAP-related enhancements in the AIX 5L operating system V5.3 TL5 update. Some of the enhancements include support for Active Directory, multiple base distinguished (DN) support, and extended base DN format.
In this article, the author discusses common security problems in any UNIX® environment, including AIX. He identifies some of the key files and the steps required to maintain their integrity, and he highlights a number of security tools you can use to diagnose an AIX system and identify potential security lapses. The ideas discussed here apply to all releases of AIX and will be useful to both AIX system administrators and AIX programmers concerned about protecting their systems from intruders.
This section lists articles that show readers the available kerberized filesystem deployments on AIX, migration across kerberized filesystems, enabling AIX kerberized authentication in login modules across different operating systems, and means to use secure login applications like kerberized telnet, SSH, and more.
Find out how to use application programming interfaces (APIs) when writing your own custom Kerberos-based authentication applications. Network File System Version 4 (NFS V4), the up-and-coming enterprise file system, uses the Kerberos security mechanism to address privacy, authentication, and integrity requirements. In this article, you'll examine different Kerberos credential cache name formats that AIX NFS V4 supports and are required for authentication purposes. You'll also look at different methods of obtaining the Kerberos credential.
Learn how to configure an inter-realm setup between IBM NAS and Microsoft Active Directory for AIX Network File System (NFS) Version 4.
This article provides guidance to DCE or DFS users who are migrating from DCE or DFS to Kerberos/NFS V4. During the transition period, these users need to be authenticated and authorized to use both DFS and NFS V4 directories. This article answers some basic questions, such as, "Can the DCE authentication server be used as a Kerberos server for NFS V4 with a Kerberos client?"
Use the enriched security features of Network File System (NFS) Version 4 to pave your way to public key technology. In this article, you'll examine the NFS Version 4 built-in security schemes, and how to use the existing Kerberos authentication database in a LIPKEY security mechanism. You'll also find out how to take the first steps for a migration or extension from Kerberos to the LIPKEY security mechanism.
Learn how to use the IBM NFS/DFS Authentication Gateway commands and application programming interfaces (APIs) to design applications during migration. As the storage needs of large enterprises continue to grow and NFS implementations offering more and more features, it makes business sense for enterprises to migrate to NFS Version 4, as outlined in the "IBM NFS/DFS Authentication Gateway: A migration bridge to NFS Version 4" companion article.
Take advantage of the new features Network File System Version 4 (NFS Version 4) now has to offer. With the ever-growing storage needs in large enterprises and NFS implementations offering more and more features, it makes business sense for enterprises to migrate to NFS Version 4. In this article, we discuss the need and various strategies for migrating from the IBM Distributed Computing Environment (DCE)/Distributed File System (DFS) infrastructure to NFS Version 4 on AIX and Linux.
Discover how to configure the Microsoft Windows 2003 Server to authenticate Terminal Service users with the IBM Network Authentication Service (IBM NAS) Key Distribution Center (KDC) being hosted on their AIX 5.3 system. Such a setup not only gives Kerberized authentication for Terminal Service users, but it also allows users to have uniform user IDs and passwords across AIX and Windows Server systems. It allows application developers to exploit the advantages of Kerberos interoperability between IBM NAS and Windows in Kerberized applications spanning across systems.
Discover how you can configure the Kerberized Open Secure Shell (OpenSSH) on AIX Version 5.3 machines that have Microsoft Active Directory Server to act as the Key Distribution Center (KDC). OpenSSH encrypts traffic, including passwords, to eliminate eavesdropping, taking over your connection, or peeking into your data. If you work in a hybrid environment with multi-vendor solutions on AIX Version 5.3 systems, then you'll find this article extremely useful.
Set up a Kerberized environment to work with Solaris 10 and learn how to configure a Key Distribution Center (KDC) on AIX Version 5.3. You'll also run through a series of steps for configuring a Kerberos client on Solaris 10 to authenticate users for Telnet, remote shell (rsh), and Secure Shell (SSH) using AIX Version 5.3 as your KDC. Having a single IBM Network Authentication Service (NAS) KDC on AIX for authentication across different platforms is especially helpful in a hybrid environment.
Learn to make use of the Kerberos authentication tickets in the day-to-day network services on IBM AIX V6 and discover how Kerberos can be useful in getting rid of the password hassles for network service logons. This is another method towards achieving single sign on (SSO) on an AIX system network.
In the ever-growing need for higher security systems, multi-factor authentication is preferred for network security. Since Kerberos is one of the most popular network authentication mechanisms, learn how to design a multi-factor authentication over the Keberos protocol. Understand the use of One Time Password (OTP) and GSS-API to achieve this.
This document describes the use of Kerberos as an alternative authentication mechanism to AIX using Windows 2000/2003 Server Kerberos Service. Authentication applications on AIX do not require any change to alternatively perform Kerberos authentication as it is woven into the fabric of the AIX security subsystem. By utilizing the loadable identification and authentication framework of AIX, the system directs authentication requests to use Kerberos instead of standard UNIX authentication.
This article listed the essential resources relating to IBM Network Authentication Service for AIX. These resources cover all major topics that administrators or developers working with Kerberos on AIX need to know: A must-bookmark page!
Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3 (IBM Redbook Publication): Discover security features in NFS v4.
DCE Replacement Strategies (IBM Redbook Publication): This IBM Redbook recommends strategies that you can use to replace the Distributed Computing Environment and how IBM NAS for AIX can be used for authentication data migration.
Massachusetts Institute of Technology website on Kerberos: Kerberos: The Network Authentication Protocol.
Massachusetts Institute of Technology website on Kerberos Papers and Documentation
Guide to Computer Security Log Management Special Publication (SP) 800-92 issed by NIST's Information Technology Laboratory.
AIX and UNIX : Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Get products and technologies
IBM Network Authentication Service for AIX: Download the IBM Network Authentication Service for AIX from IBM AIX Web Download Pack Programs.
IBM GUI-based Administration Tool for Network Authentication Service: Experience the GUI to perform the IBM NAS-related administration tasks: Download from the IBM alphaWorks today.
IBM Network Authentication Service for Linux,Solaris: Download the IBM Network Authentication Service for Linux,Solaris from here.
IBM GUI-based Administration Tool for Network Authentication Service: Experience the GUI to perform the IBM NAS related administration tasks. Download from the IBM alphaWorks today.
AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
Sandeep Ramesh Patil is an Advisory Software Engineer for the IBM India System and Technology Lab. His professional experience has been on distributed technology and security products such as the IBM Network Authentication Services (IBM Kerberos). He is an IBM developerWorks Professional Author with most of his articles on information security. He also plays a active role in IP generation. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at email@example.com .