Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Use the Generic Security Service With Kerberos When Running FTP

The generic security service (GSS) can be used by Kerberos network applications for authentication, integrity, and privacy. The following steps show how to enable the GSS service for ProFTPD.

Before You Begin

You must assume the root role on the FTP server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Add principals for the FTP server and create the FTP server's keytab file.

    These steps might not be needed if the changes were made earlier.

    1. Start the kadmin command.
      ftpserver1 # /usr/sbin/kadmin -p kws/admin
      Enter password: xxxxxxxx
      kadmin: 
    2. Add the ftp service principal for the FTP server.
      kadmin: addprinc -randkey ftp/ftpserver1.example.com 
    3. Add the ftp service principal to a new keytab file.

      A new keytab file makes this information available to the ftp service without exposing all of the information in the server's keytab file.

      kadmin: ktadd -k /etc/krb5/ftp.keytab ftp/ftpserver1.example.com

      For more information, see the ktadd command in the kadmin(1) man page.

  2. Change ownership of the new keytab file.
    ftpserver1 # chown ftp:ftp /etc/krb5/ftp.keytab
  3. Enable GSS for the FTP server.

    Make the following changes to the /etc/proftpd.conf file.

    # pfedit /etc/proftpd.conf
    LoadModule     mod_gss.c
    
    GSSEngine      on
    GSSKeytab      /etc/krb5/ftp.keytab
  4. Restart the FTP server.
    # svcadm restart network/ftp