topic Re: Kerberos security in Operating System - HP-UX

Kerberos security

Ngoh Chean Siung — Mon, 10 Jan 2005 07:06:01 GMT

Hi,

How I know whether the Kerberos security is used in my system?

regards.

Re: Kerberos security

Robert-Jan Goossens — Mon, 10 Jan 2005 07:11:13 GMT

Hi,

# swlist -l fileset | grep -i kerberos

check the /etc/pam.conf

http://www.software.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=J5849AA

Hope this helps,
Robert-Jan

Re: Kerberos security

Ngoh Chean Siung — Tue, 11 Jan 2005 03:46:33 GMT

Hi,

In the HP-UX 11.11 system,

# swlist -l fileset | grep -i kerberos
# KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
# KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
# PAM-Kerberos B.11.11.12 PAM-Kerberos Version 1.10
PAM-Kerberos.PAM-KRB-DEMO B.11.11.12 PAM-Kerberos Demonstration
PAM-Kerberos.PAM-KRB-MAN B.11.11.12 PAM-Kerberos Man Pages
PAM-Kerberos.PAM-KRB-RUN B.11.11.12 PAM-Kerberos Runtime
PAM-Kerberos.PAM-KRB-SHLIB B.11.11.12 PAM-Kerberos Shared Library

In the HP-UX 11 system,

# swlist -l fileset | grep -i kerberos
# KRB-Support B.11.00 Kerberos Support for HP-UX and DCE

Q1) I think there is Kerberos software installed in both system. How I know whether we are using this software now? Or these software is come together with the server? Because I want to hash all the kerberos services under /etc/services and /etc/inetd.conf.

Example of the kerberos services is as below:

kerberos5 88/udp kdc # Kerberos 5 kdc
klogin 543/tcp # Kerberos rlogin -kfall
kshell 544/tcp krcmd # Kerberos remote shell -kfall
ekshell 545/tcp krcmd # Kerberos encrypted remote shell -kfall
kerberos 750/udp kdc # Kerberos (server) udp -kfall
kerberos 750/tcp kdc # Kerberos (server) tcp -kfall
kerberos_master 751/tcp kadmin # Kerberos kadmin
krbupdate 760/tcp kreg # Kerberos registration -kfall
kpasswd 761/tcp kpwd # Kerberos "passwd" -kfall
eklogin 2105/tcp # Kerberos encrypted rlogin -kfall

regards.

Re: Kerberos security

Michael Selvesteen_2 — Tue, 11 Jan 2005 04:21:25 GMT

Hello,

Try the following:

1. swlist | grep T1417AA

If it results with the following

"Kerberos Server Version X.X and its Administration Utilities"

It says HP Kerberos server is available on your host. You can simply remove the server by the following command if needed.

swremove T1417AA

2. A simple check for kerberos deamon is

ps -ef | grep kdcd

which lists kerberos deomons if it is currently running in the system.

Q1) I think there is Kerberos software installed in both system. How I know whether we are using this software now? Or these software is come together with the server? Because I want to hash all the kerberos services under /etc/services and /etc/inetd.conf.

I belive from you message no kerberos server runs on your machine. If you no more need kerberos support for those services you may hast it all.

Releated links:

http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/inetd.conf

http://www.isi.edu/gost/brian/security/kerberos.html

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1417AA

Hope this helps
--
M

Re: Kerberos security

Ngoh Chean Siung — Tue, 11 Jan 2005 05:18:12 GMT

Hi,

Q1) There is no output after running these commands
# swlist | grep T1417AA
# ps -ef | grep kdcd

What does it mean? No software installed or ...?

Q2) Where is the location of kdcd? There is also no man for kdcd.

Q3) From which messages that you know my system is not using kerberos?

regards.

Re: Kerberos security

Michael Selvesteen_2 — Tue, 11 Jan 2005 06:45:09 GMT

Hello,

Q1) There is no output after running these commands
# swlist | grep T1417AA
# ps -ef | grep kdcd

What does it mean? No software installed or ...?

Yes..It means HP Kerberos server is not installed in your system.

http://docs.hp.com/en/B8725-90078/ch01.html

Q2) Where is the location of kdcd? There is also no man for kdcd.

In my system

# ps -ef | grep kdcd
root 658 621 0 12:28:05 ? 0:00 /opt/krb5/sbin/kdcd
root 14785 5352 0 19:36:20 pts/td 0:00 grep kdcd
root 621 1 0 12:28:04 ? 0:00 /opt/krb5/sbin/kdcd

It resides in /opt/krb5/sbin/kdcd

kdcd is a daemon that provides two services: the authentication service (AS) and the ticket-granting service (TGS).

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html

Q3) From which messages that you know my system is not using kerberos?

I told your system has no HP kerberos server.
But there is number of kerberos clients, pam interfaces.... which are used by your applications for kerberos authentications and authorization.

FYI:

/etc/services

http://www.faqs.org/docs/securing/chap5sec40.html

Hope this helps

--
M

Re: Kerberos security

Ngoh Chean Siung — Tue, 11 Jan 2005 07:20:52 GMT

Hi,

Q1) But there is number of kerberos clients, pam interfaces.... which are used by your applications for kerberos authentications and authorization. Is all these services active/function now? How to check?

Q2) Since there is no kerberos server in my system, can I hash all the related kerberos services (kerberos clients, pam interfaces ...) in /etc/services and /etc/inetd.conf?

regards.