Authentication and the secure rcmds

Edit online

These commands have been enhanced to provide additional authentication methods to those used today.

The secure rcmds are rlogin, rcp, rsh, telnet, and ftp. By default these commands use the, Standard AIX® method of authentication. The two additional methods are Kerberos V.5 and Kerberos V.4.

When using the Kerberos V.5 authentication method, the client gets a Kerberos V.5 ticket from the DCE security server or Native Kerberos server. The ticket is a portion of the user's current DCE or Native credentials encrypted for the TCP/IP server with which they wish to connect. The daemon on the TCP/IP server decrypts the ticket. This allows the TCP/IP server to absolutely identify the user. If the DCE or Native principal described in the ticket is allowed access to the operating system user's account, the connection proceeds.

Note: Beginning with DCE version 2.2, the DCE security server can return Kerberos V.5 tickets. The secure rcmds in the AIX operating system uses the Kerberos V.5 library and the GSSAPI library provided by NAS (Network Authentication Service) version 1.3.

In addition to authenticating the client, Kerberos V.5 forwards the current user's credentials to the TCP/IP server. If the credentials are marked forwardable, the client sends them to the server as a Kerberos TGT (Ticket Granting Ticket). On the TCP/IP server side, if one is communicating with a DCE security server, the daemon upgrades the TGT into full DCE credentials using the k5dcecreds command.

The ftp command uses a different authentication method than the other commands. It uses the GSSAPI security mechanism to pass the authentication between the ftp command and the ftpd daemon. Using the clear/safe/private subcommands, the ftp client supports data encryption.

Between operating system clients and servers, ftp has been enhanced to allow multiple-byte transfers for encrypted data connections. The standards define only single-byte transfers for encrypted data connections. When connected to third-party machines and using data encryption, ftp follows the single-byte transfer limit.

Note: The rlogin, rsh, and telnet secure rcmds commands, along with the klogin and kshell Kerberos V.5 authentication methods, allow three attempts before the connection to the remote host is closed.