Home > Others

Specific process of configuring Kerberos for the telnet service (1)

Source: Internet
Author: User
Tags hmac fully qualified domain name
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

In some service settings, we usually use other environments to complete some operations. For example, we will talk about configuring Kerberos for the telnet service. In the Kerberos environment, each Kerberos service is represented by a service entity. This service subject is only a common Kerberos subject and holds the key used to decrypt the response sent by the Kerberos server. This is also true for the telnet service. You need to create the telnet service principal on the telnet server and perform some configuration steps. Perform the following steps to configure Kerberos for the telnet service.

If you have used the AIX 'mkkrb5clnt 'command to configure the Kerberos client, you do not need to perform steps 1 and 2. Run the 'mkkrb5clnt 'command to create and store the host service principal in the/var/krb5/security/keytab/

On the computer running the telnet service (fsaix005.in.ibm.com), create a telnet service subject named "host/<FQDN_telnetd_hostname>. In this example, it will be "host/fsaix005.in.ibm.com ".

Using the Fully Qualified Domain Name, FQDN) is critical to the normal operation of this setting.

 
 
    
  
  
  1. bash-2.05b# hostname  
    2. 
  
  
  2. fsaix005.in.ibm.com  
    3. 
  
  
  3. bash-2.05b# kadmin -p admin/admin  
    4. 
  
  
  4. Authenticating as principal admin/admin with password.  
    5. 
  
  
  5. Password for admin/admin@ISL.IN.IBM.COM:  
    6. 
  
  
  6. kadmin:  addprinc -randkey host/fsaix005.in.ibm.com  
    7. 
  
  
  7. WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM;  
    8. 
  
  
  8. defaulting to no policy. Note that policy may be overridden by  
    9. 
  
  
  9. ACL restrictions.  
    10. 
  
  
  10. Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created. 
    11.

Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab.

 
 
    
  
  
  1. kadmin:  ktadd host/fsaix005.in.ibm.com  
    2. 
  
  
  2. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES  
    3. 
  
  
  3. cbc  
    4. 
  
  
  4. mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
    5. 
  
  
  5. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour  
    6. 
  
  
  6. with  
    7. 
  
  
  7. HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
    8. 
  
  
  8. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256  
    9. 
  
  
  9. CTS  mode  
    10. 
  
  
  10. with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.  
    11. 
  
  
  11. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc  
    12. 
  
  
  12. mode  
    13. 
  
  
  13. with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
    14. 
  
  
  14. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128  
    15. 
  
  
  15. CTS mode  
    16. 
  
  
  16. with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.  
    17. 
  
  
  17. kadmin:  q  
    18. 
  
  
  18. bash-2.05b# 
    19.

If "kadmin" cannot be run for some reason, create a service principal on KDC and add it to the keytab file (/etc/krb5/krb5.keytab, the keytab file is then transmitted to the computer running telnetd. For this example, It is fsaix005.in.ibm.com.

Run '/usr/krb5/bin/klist-k' on the computer running the telnet service (fsaix005.in.ibm.com) and check the entries.

 
 
    
  
  
  1. bash-2.05b# hostname  
    2. 
  
  
  2. fsaix005.in.ibm.com  
    3. 
  
  
  3. bash-2.05b# /usr/krb5/bin/klist -k  
    4. 
  
  
  4. Keytab name:  FILE:/etc/krb5/krb5.keytab  
    5. 
  
  
  5. KVNO Principal  
    6. 
  
  
  6. ---- ---------  
    7. 
  
  
  7. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
    8. 
  
  
  8. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
    9. 
  
  
  9. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
    10. 
  
  
  10. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
    11. 
  
  
  11. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
    12. 
  
  
  12. bash-2.05b# 
    13.

On the computer running the telnet service (fsaix005.in.ibm.com), create a new user "vipin" and you will use this user to remotely log on to fsaix005. Change the password of the user.

 
 
    
  
  
  1. bash-2.05b# hostname  
    2. 
  
  
  2. fsaix005.in.ibm.com  
    3. 
  
  
  3. bash-2.05b# mkuser -R files vipin  
    4. 
  
  
  4. bash-2.05b# passwd vipin  
    5. 
  
  
  5. Changing password for "vipin"  
    6. 
  
  
  6. vipin's New password:  
    7. 
  
  
  7. Enter the new password again:  
    8. 
  
  
  8. bash-2.05b# 
    9.

Create a Kerberos principal with the same name "vipin. You can perform this operation on any computer master KDC or client in the Kerberos field.


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
telnet http 1 1 write command for full listing of all running process service bus for windows server 1 1 download process exit code 1 types of telnet 10 steps of service for servers use of telnet command

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More