Overview of Kerberized Commands
The Kerberized network services are those programs that connect to another machine somewhere on the Internet. These programs are located in /usr/krb5/bin; set your PATH variable so that these come before non-Kerberos versions. These programs are:
-
ftp
-
rcp
-
rlogin
-
rsh
-
telnet
These programs have all of the original features of the corresponding non-Kerberos equivalents. They also have additional features that transparently use your Kerberos tickets for negotiating authentication (and optional encryption) with the remote host. In most cases, you'll notice only that you no longer have to type your password to use them, because Kerberos will provide proof of your identity for you.
The Kerberos V5 network programs allow you the options of:
-
Forwarding your tickets to the another host (if you initially obtained forwardable tickets)
-
Encrypting data transmitted between you and the remote host
Note -
This section assumes you are already familiar with the non-Kerberos versions of these programs, and highlights the Kerberos functionality added by the Kerberos V5 package. For detailed descriptions of the commands described here, see their man pages.
The following Kerberos options have been added to ftp, rcp, rlogin, rsh, and telnet:
- -a
-
Attempt automatic login using your existing tickets. Uses the username as returned by getlogin(), unless this is different from the current user ID. (See the telnet(1) man page for details.)
- -f
-
Forward a non-reforwardable ticket to a remote host. This option is mutually exclusive with the -F (see below); they cannot be used together in the same command.
You'll want to forward a ticket if you have reason to believe you'll need to authenticate yourself to other Kerberos-based services on a third host -- for example, if you want to rlogin to another machine and then rlogin from it to a third machine.
You should definitely use a forwardable ticket if your home directory on the remote host is NFS-mounted using Kerberos V5; otherwise, you won't be able to access your home directory. (That is, suppose you initially log into System 1. From System 1 you rlogin into your home machine, System 2, which mounts your home directory from System 3. Unless you've used the -f or -F option with rlogin, you won't be able to get to your home directory, because your ticket can't be forwarded to System 3.)
By default, kinit obtains forwardable ticket-granting tickets (TGTs); however, your SEAM configuration may differ in this respect.
For more on forwarding tickets, see "Forwarding Tickets with -f and -F".
- -F
-
Forward a reforwardable copy of your ticket-granting ticket to a remote system. It is similar to -f (see above), but it allows for access to a further (say, fourth or fifth) machine. The -F option can therefore be regarded as being a superset of the -f option. The -F option is mutually exclusive with the -f option; they cannot be used together in the same command.
For more on forwarding tickets, see "Forwarding Tickets with -f and -F".
- -k realm
-
Request tickets for the remote host in the specified realm, instead of determining the realm itself using the krb5.conf file.
- -K
-
Use your tickets to authenticate to the remote host, but do not automatically log in.
- -m mechanism
-
Specify the GSS-API security mechanism to use, as listed in the /etc/gss/mech file. Defaults to kerberos_v5.
- -x
-
Encrypt this session.
- -X auth_type
-
Disable the auth_type type of authentication.
Table 4-1, shows which commands have specific options (an "X" indicates that the command has that option).
Table 4-1 Kerberos Options for Network Commands|
|
ftp |
rcp |
rlogin |
rsh |
telnet |
|---|---|---|---|---|---|
|
-a |
|
|
|
|
X |
|
-f |
X |
|
X |
X |
X |
|
-F |
|
|
X |
X |
X |
|
-k |
|
X |
X |
X |
X |
|
-K |
|
|
|
|
X |
|
-m |
X |
|
|
|
|
|
-x |
|
X |
X |
X |
X |
|
-X |
|
|
|
|
X |
Additionally, ftp allows the protection level for a session to be set at its prompt:
- clear
-
Set the protection level to "clear" (no protection). This is the default.
- private
-
Set the protection level to "private." Data transmissions are confidentiality- and integrity-protected by encryption. The privacy service may not be available to all SEAM users, however.
- safe
-
Set the protection level to "safe." Data transmissions are integrity-protected by cryptographic checksum.
You can also set the protection level at the ftp prompt by entering protect followed by any of the protection levels shown above (clear, private, or safe).
- © 2010, Oracle Corporation and/or its affiliates