Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP Open Source Security for OpenVMS Volume 3:...

Installation and Configuration

Installing and Configuring Kerberos on OpenVMS VAX Version 7.3

Kerberos Client Programs

Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos

Using Kerberos with TCP/IP Services for OpenVMS, you can secure your Telnet connections between OpenVMS systems.

The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized Telnet is Version 5.3. If you are using a version of TCP/IP Services for OpenVMS prior to Version 5.5, you must download the Kerberized Telnet client (TCPIP$TELNET.EXE) and server (TCPIP$TELNET_SERVER.EXE) kits from http://h71000.www7.hp.com/openvms/products/kerberos/

Important: If you download the Telnet client and server, you must copy TCPIP$TELNET.EXE and TCPIP$TELNET_SERVER.EXE to SYS$COMMON:[SYSEXE].

You do not need to run these files directly. They are executed when you first run Telnet after following the instructions below.

To "Kerberize" your Telnet connections, perform the following steps.

Install and configure TCP/IP for OpenVMS Services Version 5.3 or higher.

Install and configure Kerberos for OpenVMS. If you have already installed OpenVMS Version 7.3-2 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/

Shut down Kerberos, if it is running, by entering the following command:
```
$ @SYS$STARTUP:KRB$SHUTDOWN
```

Configure TCP/IP Services for OpenVMS by entering the following command:
```
$ @SYS$STARTUP:TCPIP$CONFIG
```

Select #2, Client components, from the TCP/IP Configuration Menu:

     HP TCP/IP Services for OpenVMS Configuration Menu
 
     Configuration options:
 
          1  -  Core environment
          2  -  Client components
          3  -  Server components
          4  -  Optional components
 
          5  -  Shutdown HP TCP/IP Services for OpenVMS
          6  -  Startup HP TCP/IP Services for OpenVMS
          7  -  Run tests
 
          A  -  Configure options 1 - 4
         [E] -  Exit configuration procedure
 
     Enter configuration option: 2

Ensure that the Telnet service is enabled. If Telnet is already enabled, skip to step 8. If Telnet is not currently enabled, select #6, Telnet, from the TCP/IP Configuration Menu:

     HP TCP/IP Services for OpenVMS Client Components Configuration Menu
 
     Configuration options:
 
          1  -  FTP              Enabled  Stopped
          2  -  NFS Client       Disabled Stopped
          3  -  REXEC and RSH    Enabled  Stopped
          4  -  RLOGIN           Enabled  Stopped
          5  -  SMTP             Disabled Stopped
          6  -  TELNET           Enabled  Stopped
          7  -  DHCP             Disabled Stopped
          8  -  Telnetsym        Disabled Stopped
 
          A  -  Configure options 1 - 8
         [E] -  Exit menu
 
        Enter configuration option: 6

Select #1, Enable service on this node, from the TCP/IP Configuration Menu:

     TELNET configuration options:
 
              1 - Enable service on this node
              2 - Enable & Start service on this node
 
             [E] - Exit TELNET configuration
 
     Enter configuration option: 1

Select [E], Exit menu, from the TCP/IP Configuration Menu:

     Configuration options:
 
          1  -  FTP              Enabled  Started
          2  -  NFS Client       Disabled Stopped
          3  -  REXEC and RSH    Enabled  Started
          4  -  RLOGIN           Enabled  Started
          5  -  SMTP             Disabled Stopped
          6  -  TELNET           Enabled  Stopped
          7  -  DHCP             Disabled Stopped
          8  -  Telnetsym        Disabled Stopped
 
          A  -  Configure options 1 - 8
         [E] -  Exit menu
 
     Enter configuration option: E

Select #4, Optional components, from the TCP/IP Configuration Menu:

      HP TCP/IP Services for OpenVMS Configuration Menu
 
      Configuration options:
 
          1  -  Core environment
          2  -  Client components
          3  -  Server components
          4  -  Optional components
 
          5  -  Shutdown HP TCP/IP Services for OpenVMS
          6  -  Startup HP TCP/IP Services for OpenVMS
          7  -  Run tests
 
          A  -  Configure options 1 - 4
         [E] -  Exit configuration procedure
 
     Enter configuration option: 4

Select #4, Configure Kerberos Applications, from the TCP/IP Configuration Menu:

      HP TCP/IP Services for OpenVMS Optional Components Configuration Menu
 
      Configuration options:
 
          1  -  Configure PWIP Driver (for DECnet-Plus and PATHWORKS)
          2  -  Configure SRI QIO Interface (INET Driver)
          3  -  Set up Anonymous FTP Account and Directories
          4  -  Configure Kerberos Applications
 
          A  -  Configure options 1 - 4
         [E] -  Exit menu
 
     Enter configuration option: 4

Select #1, Add Kerberos for TELNET server, from the TCP/IP Configuration Menu:

      Kerberos Applications Configuration Menu
 
      TELNET Kerberos is not defined in the TCPIP$SERVICE database.
 
      Configuration options:
 
               1  -  Add Kerberos for TELNET server
               2  -  Remove Kerberos for TELNET server
 
              [E] -  Exit menu
 
     Enter configuration option: 1

Select Exit three times to exit from each submenu of the TCP/IP Configuration Menu.

If the system asks if you want to start Telnet now, answer NO.

      The following services are enabled but not started:
 
         TELNET
 
         Start these services now? [N] NO
 
         You may start services individually with:
 
         @SYS$STARTUP:TCPIP$_STARTUP.COM

If Telnet is not already running, manually start Telnet by entering the following command:

      $ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM
 
      %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed
      %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed
      %TCPIP-I-INFO, logical names created
      %TCPIP-I-INFO, telnet service enabled
      %TCPIP-I-INFO, telnet (kerberos) service enabled
      %TCPIP-S-STARTDONE, TCPIP$TELNET startup completed

Start Kerberos by entering the following command:
```
$ @SYS$STARTUP:KRB$STARTUP
```

Verify that the Kerberos Telnet (KTELNET) service is enabled by entering the following command. (If, for some reason, KTELNET is Disabled, you can enable it via the $ TCPIP ENABLE SERVICE KTELNET command.)

      $ TPCIP SHOW SERV
 
      Service         Port  Proto    Process          Address        State
 
      FTP               21  TCP      TCPIP$FTP        0.0.0.0        Enabled
      KTELNET         2323  TCP      TCPIP$TELNET     0.0.0.0        Enabled
      REXEC            512  TCP      TCPIP$REXEC      0.0.0.0        Enabled
      RLOGIN           513  TCP      not defined      0.0.0.0        Enabled
      RSH              514  TCP      TCPIP$RSH        0.0.0.0        Enabled
      TELNET            23  TCP      not defined      0.0.0.0        Enabled

An OpenVMS account and a corresponding Kerberos principal are required to use Kerberos Telnet. For each user, create a Kerberos principal that exactly matches (including case) its OpenVMS account name. Passwords do not need to match. You can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands.

      DCL:
 
      $ KERBEROS/ADMIN
      KerberosAdmin> login "SYSTEM/admin"
      Enter password:
      Authenticating as principal SYSTEM/admin with password.
      KerberosAdmin> list principal
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM
      KerberosAdmin> create principal "USER1"
      Authenticating as principal SYSTEM/admin with password.
      WARNING: no policy specified for USER1@OPNEAR.ZKO.DEC.COM; defaulting to
               no policy
 
      Enter password for principal "USER1@NODE1.Y.COM":
      Re-enter password for principal "USER1@NODE1.Y.COM":
      Principal "USER1@NODE1.Y.COM" created.
      KerberosAdmin> list principal
      Authenticating as principal SYSTEM/admin with password.
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      USER1@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM
 
      UNIX:
 
      $ kinit "SYSTEM/admin"
      Password for SYSTEM/admin@NODE1.Y.COM:
      $ kadmin
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
 
      Enter password:
      KADMIN: listprincs
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM
      KADMIN: addprinc "USER1"
      WARNING: no policy specified for USER1@OPNEAR.ZKO.DEC.COM; defaulting to
               no policy
      Enter password for principal "USER1@NODE1.Y.COM":
      Re-enter password for principal "USER1@NODE1.Y.COM":
      Principal "USER1@NODE1.Y.COM" created.
      KADMIN: listprincs
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      USER1@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM

Create the Kerberos host principal. Be sure to use the Fully Qualified Domain Name (FQDN) for the host, not the simple host name. You can use either DCL or UNIX-style commands to create the host principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands.

      DCL:
 
      KerberosAdmin> create principal/random "host/node1.x.y.com@NODE1.Y.COM"
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
      Principal "host/node1.x.y.com@NODE1.Y.COM" created.
      KerberosAdmin> list principal
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      USER1@NODE1.Y.COM
      host/node1.x.y.com@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM
      KerberosAdmin> create keytab "host/node1.x.y.com@NODE1.Y.COM"
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
      KRB$KERBEROS: Entry for principal host/node1.x.y.com@NODE1.Y.COM with
      kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
      keytab WRFILE=krb$root:[etc]krb5.keytab.
 
      KRB$KERBEROS: Entry for principal host/node1.x.y.com@NODE1.Y.COM with
      kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
      WRFILE=krb$root:[etc]krb5.keytab.
 
      KerberosAdmin> list keytab
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
      host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: Triple DES cbc mode with
      HMAC/sha1)
      host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES cbc mode with CRC-32)
      KerberosAdmin> exit
      $
 
      UNIX:
 
      KADMIN: addprinc -randkey "host/node1.x.y.com@NODE1.Y.COM"
      Authenticating as principal SYSTEM/admin@NODE1.Y.COM with password.
      Principal "host/node1.x.y.com@NODE1.Y.COM" created.
      KADMIN: listprincs
      K/M@NODE1.Y.COM
      SYSTEM/admin@NODE1.Y.COM
      USER1@NODE1.Y.COM
      host/node1.x.y.com@NODE1.Y.COM
      kadmin/admin@NODE1.Y.COM
      kadmin/changepw@NODE1.Y.COM
      kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM
      krbtgt/NODE1.Y.COM@NODE1.Y.COM
      KADMIN: ktadd "host/node1.x.y.com@NODE1.Y.COM"
      KRB$KADMIN: Entry for principal host/node1.x.y.com@NODE1.Y.COM with
      kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
      keytab WRFILE=krb$root:[etc]krb5.keytab.
 
      KRB$KADMIN: Entry for principal host/node1.x.y.com@NODE1.Y.COM with
      kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
      WRFILE=krb$root:[etc]krb5.keytab.
      KADMIN: ktlist
      host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: Triple DES cbc mode with
      HMAC/sha1)
      host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES cbc mode with CRC-32)
      KADMIN: exit
      $

Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file:
```
$ @SYS$MANAGER:KRB$SYMBOLS
```

The following steps should be performed by each user who will use Kerberos Telnet.

Log into the OpenVMS system.

       Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2
 
       Username: user1
       Password:

Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter the following command at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS Telnet. You are then prompted for the password associated with the principal. (The -f denotes forwardable credentials.)
```
       $ kinit -f "USER1"
       password for user1@node1.y.com
```

Enter the TELNET/AUTH command specifying Kerberos port 2323 to start the TELNET session, as follows:

       $ kinit -f "USER1"
       $ TELNET/AUTH NODE1 2323
       TELNET-I-TRYING, Trying ... 1.2.3.4
       %TELNET-I-SESSION, Session 01, host node1, port 2323
       -TELNET-I-ESCAPE, Escape character is ^]
       [ Kerberos V5 accepts you as ''user1.NODE1.Y.COM'' ]

Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos port 2323 to forward credentials. (Note: Forwarding credentials to non-OpenVMS servers works properly, but there is currently a problem in forwarding credentials to OpenVMS servers. This will be corrected in a future TCP/IP Services for OpenVMS ECO kit.)
```
       $ TELNET/AUTH/FORW NODE1 2323
       TELNET-I-TRYING, Trying ... 1.2.3.4
       %TELNET-I-SESSION, Session 01, host node1, port 2323
       -TELNET-I-ESCAPE, Escape character is ^]
       [Kerberos V5 accepts you as ''user1@NODE1.DEC.COM'' ]
       [ Kerberos V5 refuses authentication ]
```

If you are using Kerberized Telnet to a non-OpenVMS system, the default port of 23 should be specified. Port 2323 is only used when contacting a Kerberized Telnet server on an OpenVMS system. This is because Telnet on OpenVMS currently uses different servers for regular and Kerberized Telnet.

Installing and Configuring Kerberos on OpenVMS VAX Version 7.3

Kerberos Client Programs