http://www.osnews.com/story/16441/Secure_Kerberized_Authentication_on_Solaris_Using_AIX Exploring the Future of Computing en-us Copyright 2001-2012, David Adams adam+nospam@osnews.com Wed, 15 Feb 2012 10:31:28 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://www.osnews.com/thread?180642 http://www.osnews.com/thread?180642 Did a double take on that title. Thu, 09 Nov 2006 21:11:00 GMT donotreply@osnews.com (Sphinx) Comments http://www.osnews.com/thread?180649 http://www.osnews.com/thread?180649 Nice article

You could easily setup the kerberos environment to authenticate against Active Directory as well. Thu, 09 Nov 2006 21:26:00 GMT donotreply@osnews.com (netpython) Comments http://www.osnews.com/thread?180656 http://www.osnews.com/thread?180656 This is a really hard way to setup Kerberos on Solaris 10. There is a much simpler way to do the client setup using the kclient command. It deals with the setup of the configuration files.

The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection.

The pam.conf for Solaris is also wrong it is missing at least one critical additional entry for pam_unix_cred which must be in all PAM stacks where the authenticated entity is a unix account. Thu, 09 Nov 2006 21:36:00 GMT donotreply@osnews.com (Darren Moffat) Comments http://www.osnews.com/thread?180668 http://www.osnews.com/thread?180668 It also tells you how to set up telnet and rsh! For crying out loud, kill these services, and make people upgrade. Thu, 09 Nov 2006 21:52:00 GMT donotreply@osnews.com (Murrell) Comments http://www.osnews.com/thread?180681 http://www.osnews.com/thread?180681 yeah... Kerberos is not going to help when rlogin works on a trusted host model and passwords and all keystrokes for telnet is sent as plain text.

At least they have to add a disclaimer saying that "this is how you do it but it's not recommended that you use either of them"

(Is is just me? Or did the article say that telnetd is still run by default on Solaris 10?) Thu, 09 Nov 2006 22:18:00 GMT donotreply@osnews.com (flav2000) Comments http://www.osnews.com/thread?180710 http://www.osnews.com/thread?180710 Checking one of my Solaris 10 x86 machines, both rlogin and telnet have an encryption option which can be used in conjunction with a Kerberos Realm using the -x option. This can also be configured to be a default behavior by modifying the krb5.conf file.

And while telnet is enabled by default, it is easily disabled:

svcadm disable telnet Thu, 09 Nov 2006 23:07:00 GMT donotreply@osnews.com (Robert Escue) Comments http://www.osnews.com/thread?180713 http://www.osnews.com/thread?180713 at least with heimdal kerberos (and I'd suspect here as well), telnet is actually kerberized telnet, so it's really not as bad as you might think. Thu, 09 Nov 2006 23:12:00 GMT donotreply@osnews.com (macisaac) Comments http://www.osnews.com/thread?180826 http://www.osnews.com/thread?180826 "The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection."

That's completely correct. In my opinion, the use of scp (secure copy, "ftp over ssh") should be recommended. The same issue: ssh should be prefered over telnet. Fri, 10 Nov 2006 03:36:00 GMT donotreply@osnews.com (Doc Pain) Comments http://www.osnews.com/thread?180895 http://www.osnews.com/thread?180895 scp would be fine providing you already have ssh setup with trustworth known_hosts files (ie you have passed over the initial MITM attack possibility).

Better yet though is if you use the kclient(1) setup program in Solaris 10 you don't need to do that step since it downloads the keytab file over a kerberos secured RPCSEC_GSS connection using the "admin" principal it requires (that is defined by the KDC owner). Fri, 10 Nov 2006 10:06:00 GMT donotreply@osnews.com (Darren Moffat) Comments http://www.osnews.com/thread?180958 http://www.osnews.com/thread?180958 Kerberos is old and busted. Asymmetric algorithms are the new(er) hotness. Fri, 10 Nov 2006 14:36:00 GMT donotreply@osnews.com (Meor) Comments