Secure remote commands overview

Edit online

The following information provides details about secure remote commands.

Notes:
  1. Beginning with Distributed Computing Environment (DCE) version 2.2, the DCE security server can return Kerberos Version 5 tickets.
  2. All of the secure remote commands (rcmds) use the Kerberos Version 5 library provided by IBM® Network Authentication Service (NAS) that is available on the Expansion Pack DVD. You must install the krb5.client.rte fileset, which is also available on the Expansion Pack DVD.
  3. If you are migrating your AIX® operating system by using DVD media and Kerberos is already installed, the installation scripts prompt you to install krb5.client.rte from the Expansion Pack DVD.
  4. If you are migrating your AIX operating system by using NIM resources and Kerberos is already installed, add krb5 to your lpp_source directory.

The secure remote commands (rcmds) are rlogin, rcp, rsh, telnet, and ftp. These commands are known collectively as the standard AIX authentication method. The additional methods provided are Kerberos.

When using the Kerberos Version 5 authentication method, the client gets a Kerberos Version 5 ticket from the DCE security server or Kerberos server. The ticket is a portion of the user's current DCE or local credentials encrypted for the TCP/IP server with which they want to connect. The daemon on the TCP/IP server decrypts the ticket. This action allows the TCP/IP server to absolutely identify the user. If the DCE or local principal described in the ticket is allowed access to the operating system user's account, the connection proceeds. The secure rcmds support Kerberos clients and servers from both Kerberos Version 5 and DCE.

In addition to authenticating the client, Kerberos Version 5 forwards the current user's credentials to the TCP/IP server. If the credentials are marked as forwardable, the client sends them to the server as a Kerberos ticket-granting ticket. On the TCP/IP server side, if a user is communicating with a DCE security server, the daemon upgrades the ticket-granting ticket to full DCE credentials using the k5dcecreds command.

The ftp command uses a different authentication method than the other secure rcmds. It uses the GSSAPI security mechanism to pass the authentication between the ftp command and the ftpd daemon. Using the clear, safe, and private subcommands, the ftp client supports data encryption.

Between operating system clients and servers, the ftp command allows multiple byte transfers for encrypted data connections. The standards define only single byte transfers for encrypted data connections. When connected to third-party machines and using data encryption, the ftp command follows the single byte transfer limit.