Linked by Thom Holwerda on Thu 9th Nov 2006 20:42 UTC, submitted by anonymous
General Unix Set up a Kerberized environment to work with Solaris 10 and learn how to configure a Key Distribution Center on AIX Version 5.3. You'll also run through a series of steps for configuring a Kerberos client on Solaris 10 to authenticate users for Telnet, remote shell, and Secure Shell using AIX 5.3 as your KDC.
Order by: Score:
Huh?
by Sphinx on Thu 9th Nov 2006 21:11 UTC
Sphinx
Member since:
2005-07-09

Did a double take on that title.

Reply Score: 1

point of view
by netpython on Thu 9th Nov 2006 21:26 UTC
netpython
Member since:
2005-07-06

Nice article

You could easily setup the kerberos environment to authenticate against Active Directory as well.

Reply Score: 1

A few serious flaws
by Darren Moffat on Thu 9th Nov 2006 21:36 UTC
Darren Moffat
Member since:
2005-07-13

This is a really hard way to setup Kerberos on Solaris 10. There is a much simpler way to do the client setup using the kclient command. It deals with the setup of the configuration files.

The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection.

The pam.conf for Solaris is also wrong it is missing at least one critical additional entry for pam_unix_cred which must be in all PAM stacks where the authenticated entity is a unix account.

Reply Score: 5

RE: A few serious flaws
by Doc Pain on Fri 10th Nov 2006 03:36 UTC in reply to "A few serious flaws"
Doc Pain Member since:
2006-10-08

"The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection."

That's completely correct. In my opinion, the use of scp (secure copy, "ftp over ssh") should be recommended. The same issue: ssh should be prefered over telnet.

Reply Score: 1

RE[2]: A few serious flaws
by Darren Moffat on Fri 10th Nov 2006 10:06 UTC in reply to "RE: A few serious flaws"
Darren Moffat Member since:
2005-07-13

scp would be fine providing you already have ssh setup with trustworth known_hosts files (ie you have passed over the initial MITM attack possibility).

Better yet though is if you use the kclient(1) setup program in Solaris 10 you don't need to do that step since it downloads the keytab file over a kerberos secured RPCSEC_GSS connection using the "admin" principal it requires (that is defined by the KDC owner).

Reply Score: 2

Telnet? Rsh?
by Murrell on Thu 9th Nov 2006 21:52 UTC
Murrell
Member since:
2006-01-04

It also tells you how to set up telnet and rsh! For crying out loud, kill these services, and make people upgrade.

Reply Score: 2

RE: Telnet? Rsh? (security holes)
by flav2000 on Thu 9th Nov 2006 22:18 UTC in reply to "Telnet? Rsh?"
flav2000 Member since:
2006-02-08

yeah... Kerberos is not going to help when rlogin works on a trusted host model and passwords and all keystrokes for telnet is sent as plain text.

At least they have to add a disclaimer saying that "this is how you do it but it's not recommended that you use either of them"

(Is is just me? Or did the article say that telnetd is still run by default on Solaris 10?)

Reply Score: 1

Robert Escue Member since:
2005-07-08

Checking one of my Solaris 10 x86 machines, both rlogin and telnet have an encryption option which can be used in conjunction with a Kerberos Realm using the -x option. This can also be configured to be a default behavior by modifying the krb5.conf file.

And while telnet is enabled by default, it is easily disabled:

svcadm disable telnet

Reply Score: 1

RE: Telnet? Rsh?
by macisaac on Thu 9th Nov 2006 23:12 UTC in reply to "Telnet? Rsh?"
macisaac Member since:
2005-08-28

at least with heimdal kerberos (and I'd suspect here as well), telnet is actually kerberized telnet, so it's really not as bad as you might think.

Reply Score: 1

No
by Meor on Fri 10th Nov 2006 14:36 UTC
Meor
Member since:
2006-09-29

Kerberos is old and busted. Asymmetric algorithms are the new(er) hotness.

Reply Score: 1