System configuration for the secure rcmds

Edit online

For all of the secure rcmds, there is a system-level configuration mechanism to determine which authentication methods are allowed for that system. The configuration controls both outgoing and incoming connections.

The authentication configuration consists of a library, libauthm.a, and two commands, lsauthent and chauthent, that provide command-line access to the library's two routines: get_auth_methods and set_auth_methods.

The system supports three different authentication methods: Kerberos V.5, Kerberos V.4, and Standard AIX. The authentication method defines which method is used to authenticate a user across a network.

  • Kerberos V.5 is the most common method, as it is the basis for the Distributed Computing Environment (DCE). The operating system either upgrades incoming Kerberos V.5 tickets to full DCE credentials or uses incoming Native Kerberos V.5 tickets.
  • Kerberos V.4 is used by only two of the secure rcmds: rsh and rcp. It is provided to support compatibility with an earlier version on SP systems and is functional only on one. A Kerberos V.4 ticket is not upgraded to DCE credentials.
  • The term, Standard AIX authentication method, refers to the authentication method that is used by the AIX® operating system.

There is a fallback implementation when more than one authentication method is configured. If the first method fails to connect, the client attempts to authenticate by using the next authentication method that is configured.

Authentication methods can be configured in any order. The only exception is that Standard AIX must be the final authentication method that is configured because there is no fallback option from it. If Standard AIX is not a configured authentication method, password authentication is not attempted, and any connection attempt that uses this method is rejected.

It is possible to configure the system without any authentication methods. In this case, the system refuses all connections from and to any terminal that uses secure rcmds. Also, because Kerberos V.4 is supported only with the rsh and rcp commands, a system that is configured to use only Kerberos V.4 does not allow connections that use telnet, ftp, or rlogin.