Examples -- Using Kerberized Commands (Sun Enterprise Authentication Mechanism 1.0.2 Guide)

Sun Enterprise Authentication Mechanism 1.0.2 Guide

Examples -- Using Kerberized Commands

The following examples give an idea of how the options to the Kerberized commands work.

Example -- Using the `-a`, `-f`, and `-x` Options with `telnet`

In this example, the user david has already logged in, and wants to telnet to the machine denver.example.com. He uses the -f option to forward his existing tickets, the -x option to encrypt the session, and the -a option to perform the login automatically. Because he does not plan to use the services of a third host, he can use -f instead of -F.

% telnet -a -f -x denver.example.com 
Trying 128.0.0.5... 
Connected to denver.example.com. Escape character is '^]'. 
[ Kerberos V5 accepts you as "david@eng.example.com" ] 
[ Kerberos V5 accepted forwarded credentials ] 
SunOS 5.7: Tue May 21 00:31:42 EDT 1998  Welcome to SunOS 
%

Notice that david's machine used Kerberos to authenticate him to denver.example.com, and logged him automatically as himself. He had an encrypted session, a copy of his tickets already waiting for him, and he never had to type his password. If he had used a non-Kerberos version of telnet, he would have been prompted for his password, and it would have been sent over the network unencrypted -- if an intruder were watching network traffic at the time, the intruder would have known david's password.

If you forward your Kerberos tickets, telnet (as well as the other commands discussed here) destroys them when it exits.

Example -- Using `rlogin` with the `-F` Option

Here the user jennifer wants to log in to her own machine, boston.example.com. She forwards her existing tickets with -F, and encrypts the session with -x. She chooses -F rather than -f because after she's logged in to boston she might want to perform other network transactions requiring tickets to be reforwarded. Also, because she is forwarding her existing tickets, she does not have to type her password.

% rlogin boston.example.com -F -x
This rlogin session is using DES encryption for all transmissions.
Last login Mon May 19 15:19:49 from daffodil 
SunOS Release 5.7 (GENERIC) #2 Tue Nov 14 18:09:3 EST 1998 
%

Example -- Setting Protection Level in `ftp`

Now suppose that joe wants to use ftp to get his mail from the directory ~joe/MAIL from the machine denver.example.com, encrypting the session. The exchange would look like this:

% ftp -f denver.example.com
Connected to denver.example.com
220 denver.example.org FTP server (Version 6.0) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type 
GSSAPI authentication succeeded Name (daffodil.example.org:joe) 
232 GSSAPI user joe@MELPOMENE.EXAMPLE.COM is authorized as joe
230 User joe logged in.
Remote system type is UNIX.
Using BINARY mode to transfer files.
ftp> protect private
200 Protection level set to Private
ftp> cd ~joe/MAIL
250 CWD command successful.
ftp> get RMAIL
227 Entering Passive Mode (128,0,0,5,16,49)
150 Opening BINARY mode data connection for RMAIL (158336 bytes).
226 Transfer complete. 158336 bytes received in 1.9 seconds (1.4e+02 Kbytes/s)
ftp> quit
%

To encrypt the session, joe sets the protection level to private.