Set up a Kerberized environment to work with Solaris 10 and learn how to configure a Key Distribution Center on AIX Version 5.3. You’ll also run through a series of steps for configuring a Kerberos client on Solaris 10 to authenticate users for Telnet, remote shell, and Secure Shell using AIX 5.3 as your KDC.
Did a double take on that title.
Nice article
You could easily setup the kerberos environment to authenticate against Active Directory as well.
This is a really hard way to setup Kerberos on Solaris 10. There is a much simpler way to do the client setup using the kclient command. It deals with the setup of the configuration files.
The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection.
The pam.conf for Solaris is also wrong it is missing at least one critical additional entry for pam_unix_cred which must be in all PAM stacks where the authenticated entity is a unix account.
“The main problem with this article though is that it recommends a VERY BAD practice of using ftp to transfer the keytab file. This is a cardinal sin for Kerberos config as you have just transfered raw keys in the keytab file over the network using a unsecured ftp connection.”
That’s completely correct. In my opinion, the use of scp (secure copy, “ftp over ssh”) should be recommended. The same issue: ssh should be prefered over telnet.
scp would be fine providing you already have ssh setup with trustworth known_hosts files (ie you have passed over the initial MITM attack possibility).
Better yet though is if you use the kclient(1) setup program in Solaris 10 you don’t need to do that step since it downloads the keytab file over a kerberos secured RPCSEC_GSS connection using the “admin” principal it requires (that is defined by the KDC owner).
It also tells you how to set up telnet and rsh! For crying out loud, kill these services, and make people upgrade.
yeah… Kerberos is not going to help when rlogin works on a trusted host model and passwords and all keystrokes for telnet is sent as plain text.
At least they have to add a disclaimer saying that “this is how you do it but it’s not recommended that you use either of them”
(Is is just me? Or did the article say that telnetd is still run by default on Solaris 10?)
Checking one of my Solaris 10 x86 machines, both rlogin and telnet have an encryption option which can be used in conjunction with a Kerberos Realm using the -x option. This can also be configured to be a default behavior by modifying the krb5.conf file.
And while telnet is enabled by default, it is easily disabled:
svcadm disable telnet
at least with heimdal kerberos (and I’d suspect here as well), telnet is actually kerberized telnet, so it’s really not as bad as you might think.
Kerberos is old and busted. Asymmetric algorithms are the new(er) hotness.