Hello Security Conscious Practitioners - or better should I say - Kerberos Loving People - they are synonyms - aren't they !
I am Sandeep R Patil working and interested with security , storage and related stuff & I plan to blog on some of the features with IBM NAS (Network Authentication Service and not Network attached storage :-) , in this context.
IBM released IBM Network Authentication Service Version 188.8.131.52 (IBM Kerberos - based on MIT Kerberos) in its latest AIX expansion pack and Web download (https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp) Thoughts its a minor release, but it has some good features bundled with it. Following are their titles as listed in the Readme. - TCP protocol support for KDC (AIX only) - "ticket_lifetime" configuration relation support in krb5.conf file - Post Run scripts for kinit and kdestroy commands - Support for encrypted LDAP bind password - Circular logging for IBM Network Authentication Service daemons - Recertification with IBM Tivoli Directory Server (ITDS) 6.1
In this blog I will like to elaborate on "Post Run scripts for kinit and kdestroy commands ". Many would have the following questions in mind:- What is this feature ?- Is it applicable to me ?- I already have wrapper scripts for Kerberos utilities like kinit/kdestroy Do I still need to worry ?
Well, basically this feature allows administrators to notify the successful execution of kinit and kdestroy commands to other dependent kerberized applications and take appropriate actions. Vague/ meaningless ? Lets dig little more into this:
I understand that administrators can have their own wrapper scripts which can do more or less what the feature does. But there are couple of exceptions. For example, there will be practitioners whose end users directly make use of the "kinit/kdestroy" programs and we still want to make sure that the post scripts are called (every customers may not have the wrappers). Moreover these scripts will be called only if "kinit" and "kdestroy" run successfully to completion. So if kdestroy fails for some reason , then its post script will not be called. This is very vital and will possibly be missing in custom made wrapper scripts ( as they would not know if kdestroy actually deleted the credential or failed for some valid reason ).
To further emphasize its necessity: Many Kerberos applications like NFS V4 or DB2 plug-in or custom made Kerberos applications read the Kerberos credential and load it into their memory. During these times if the credential is destroyed using "kdestroy" or renewed using "kinit" there is no means to notify such independent applications that they need to delete the respective credential in their memory (unless the kerberized application keeps polling). These scripts will help do this. Now if you are using Kerberized AIX NFS V4, you might be aware of nfsauthreset command. Today, the user has to explicitly execute the NFS V4's nfsauthreset command after execution of kinit/kdestroy. With this feature, once the administrator puts the nfsauthreset command in the kinit and kdestroy post scripts (Two new file called post_kinit_script.sh and post_kdestroy_script.sh created under /etc/krb5 directory) Kerberos credential notification will become seamless. I think this is a very necessary feature and if you are using Kerberized AIX NFS V4 - you are absolutely applicable :-) !
Reference:nfsauthreset Command - Notifies the Network File System (NFS) kernel extension to destroy the appropriate Generic Security Service API (GSSAPI) credentials from the kernel credentials cache.http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds4/nfsauthreset.htm
Feel free to pass in your comments !
Till next time,Chio - Sandeep
PS: Handy related linkshttp://www.ibm.com/developerworks/aix/library/au-nas_relatedtech/http://www.alphaworks.ibm.com/tech/nasgui/[Read More]
AIX Developers will discuss the latest in AIX technologies.
with Tags: service X
aixdevblog 270001CDF4 Tags:  nfs kerberos network authentication ibm service 5 Comments 6,226 Visits