Specific process of configuring Kerberos for the telnet service (1)

Source: Internet
Author: User
Tags hmac fully qualified domain name

In some service settings, we usually use other environments to complete some operations. For example, we will talk about configuring Kerberos for the telnet service. In the Kerberos environment, each Kerberos service is represented by a service entity. This service subject is only a common Kerberos subject and holds the key used to decrypt the response sent by the Kerberos server. This is also true for the telnet service. You need to create the telnet service principal on the telnet server and perform some configuration steps. Perform the following steps to configure Kerberos for the telnet service.

If you have used the AIX 'mkkrb5clnt 'command to configure the Kerberos client, you do not need to perform steps 1 and 2. Run the 'mkkrb5clnt 'command to create and store the host service principal in the/var/krb5/security/keytab/

On the computer running the telnet service (fsaix005.in.ibm.com), create a telnet service subject named "host/<FQDN_telnetd_hostname>. In this example, it will be "host/fsaix005.in.ibm.com ".

Using the Fully Qualified Domain Name, FQDN) is critical to the normal operation of this setting.

 
 
  1. bash-2.05b# hostname  
  2. fsaix005.in.ibm.com  
  3. bash-2.05b# kadmin -p admin/admin  
  4. Authenticating as principal admin/admin with password.  
  5. Password for admin/admin@ISL.IN.IBM.COM:  
  6. kadmin:  addprinc -randkey host/fsaix005.in.ibm.com  
  7. WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM;  
  8. defaulting to no policy. Note that policy may be overridden by  
  9. ACL restrictions.  
  10. Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created. 

Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab.

 
 
  1. kadmin:  ktadd host/fsaix005.in.ibm.com  
  2. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES  
  3. cbc  
  4. mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
  5. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour  
  6. with  
  7. HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
  8. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256  
  9. CTS  mode  
  10. with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.  
  11. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc  
  12. mode  
  13. with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.  
  14. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128  
  15. CTS mode  
  16. with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.  
  17. kadmin:  q  
  18. bash-2.05b# 

If "kadmin" cannot be run for some reason, create a service principal on KDC and add it to the keytab file (/etc/krb5/krb5.keytab, the keytab file is then transmitted to the computer running telnetd. For this example, It is fsaix005.in.ibm.com.

Run '/usr/krb5/bin/klist-k' on the computer running the telnet service (fsaix005.in.ibm.com) and check the entries.

 
 
  1. bash-2.05b# hostname  
  2. fsaix005.in.ibm.com  
  3. bash-2.05b# /usr/krb5/bin/klist -k  
  4. Keytab name:  FILE:/etc/krb5/krb5.keytab  
  5. KVNO Principal  
  6. ---- ---------  
  7. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
  8. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
  9. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
  10. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
  11. 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM  
  12. bash-2.05b# 

On the computer running the telnet service (fsaix005.in.ibm.com), create a new user "vipin" and you will use this user to remotely log on to fsaix005. Change the password of the user.

 
 
  1. bash-2.05b# hostname  
  2. fsaix005.in.ibm.com  
  3. bash-2.05b# mkuser -R files vipin  
  4. bash-2.05b# passwd vipin  
  5. Changing password for "vipin"  
  6. vipin's New password:  
  7. Enter the new password again:  
  8. bash-2.05b# 

Create a Kerberos principal with the same name "vipin. You can perform this operation on any computer master KDC or client in the Kerberos field.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.