Kerberos for HP OpenVMS
Version 3.2
Installation and Configuration Guide

April 2011

Contents:

1.  Prerequisites
2.  Downloading the Kit
    Secure Delivery and Kerberos
3.  Installing and Configuring Kerberos on OpenVMS Integrity servers 
    and Alpha 8.2 and Later
    - Configure HP TCP/IP Services for OpenVMS to Change Hostname 
      Definition to Fully Qualfied Domain Name
    - Configuring Kerberos for OpenVMS on OpenVMS 8.2 or Later
4.  Configuring Kerberos for Telnet and SSH
    - Configuring TCP/IP Services for OpenVMS SSH with Kerberos 
    - Configuring TCP/IP Services for OpenVMS Telnet with Kerberos 
5.  Configuring and Starting the Kerberos ACME Agent

  -------------------------------------------------------------

This document contains information about installing and configuring 
Kerberos for OpenVMS. 

For the latest documentation for the current version of Kerberos for 
OpenVMS, see the Kerberos for OpenVMS web site at:

http://h71000.www7.hp.com/openvms/products/kerberos/


   1.  Prerequisites
   -------------------------------------------------------------

Operating System

HP OpenVMS Industry Standard 64 Version 8.3 or later, or
HP OpenVMS Alpha Version 8.3 or later

TCP/IP Transport

HP TCP/IP Services for OpenVMS Version 5.6 or later 
(for Kerberos on OpenVMS Integrity servers and OpenVMS Alpha 
Version 8.3 or later)

If you are running a third-party TCP/IP network product such as 
MultiNet 
or TCPware from Process Software Corporation, contact your provider 
about running Kerberos Version 3.2 with their TCP/IP network product.


   2.  Downloading the Kit
   -------------------------------------------------------------

Kerberos Version 3.2 is included in the OpenVMS Version 8.3-1H1 
operating system distribution media.  If you are running OpenVMS 
Version 8.3, you can download and install Kerberos Version 3.2.

To download the Kerberos kit from the OpenVMS web site, fill out and 
submit the Kerberos for OpenVMS registration form at the following 
URL:

http://h71000.www7.hp.com/openvms/products/kerberos/


   Secure Delivery and Kerberos
   -------------------------------------------------------------

The Kerberos for OpenVMS kit is a self-extracting executable file 
containing a compressed .PCSI file and an associated encrypted, signed 
manifest (.*_ESW) file.

If you copy the Kerberos kit to another location, keep the Kerberos 
kit and manifest file in the same directory.  

If you are installing Kerberos on a version of OpenVMS earlier than 
Version 8.3, the manifest is ignored.


   3.  Installing and Configuring Kerberos on OpenVMS Version 8.2 or later
   -------------------------------------------------------------

Kerberos is automatically installed during the installation of OpenVMS 
Version  8.3 or later, or during an upgrade from a previous version 
of OpenVMS to Version 8.3 or later.  


   Configure HP TCP/IP Services for OpenVMS to Change Hostname 
   Definition to Fully Qualfied Domain Name
   -------------------------------------------------------------

Before configuring or starting Kerberos, check the HP  TCP/IP Services 
for OpenVMS Local Host Database to determine whether your hostname 
definition is the short name (for example, node1) or the Fully 
Qualified Domain Name (FQDN) (for example, node1.hp.com). 

If your hostname definition is the short name, you must run 
TCPIP$CONFIG to change the definition to the fully qualified name. (If 
your hostname definition is the FQDN, continue to Configuring Kerberos 
for OpenVMS on OpenVMS Version 8.2 or later.)


   Configuring Kerberos for OpenVMS on OpenVMS 8.2 or later
   -------------------------------------------------------------

If you have not previously configured an earlier version of Kerberos 
on your system, you must run the configuration program before starting 
Kerberos. 
If you are reconfiguring Kerberos on a system on which Kerberos was 
previously configured, you must enter the kdestroy command before you 
run the configuration command procedure SYS$STARTUP:KRB$CONFIGURE.COM. 

 The kdestroy command is defined in KRB$SYMBOLS.COM.

After you have a valid configuration, start Kerberos with the 
following command:

$ @SYS$STARTUP:KRB$STARTUP.COM

Example 1 shows a configuration log.

Kerberos Configuration Log on OpenVMS

  $ @SYS$STARTUP:KRB$CONFIGURE

      Kerberos V3.2 for OpenVMS Configuration Menu

      Configuration options:

             1  -  Setup Client configuration
             2  -  Edit Client configuration

             3  -  Setup Server configuration
             4  -  Edit Server configuration

             5  -  Shutdown Servers
             6  -  Startup Servers

             E  -  Exit configuration procedure

      Enter Option: 1

    Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
    What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
    What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:

    Press Return to continue ...

      Kerberos V3.2 for OpenVMS Configuration Menu

      Configuration options:

             1  -  Setup Client configuration
             2  -  Edit Client configuration

             3  -  Setup Server configuration
             4  -  Edit Server configuration

             5  -  Shutdown Servers
             6  -  Startup Servers

             E  -  Exit configuration procedure

      Enter Option: 3

    Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
    What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
    What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:
    The type of roles the KDC can perform are:
        NO_KDC     -- where the KDC will not be run
        SINGLE_KDC -- where the KDC is the only one in the realm
        MASTER_KDC -- where the KDC is the master of 1 or more other KDCs
        SLAVE_KDC  -- where the KDC is slave to another KDC
    What will be the KDCs role on this node [ SINGLE_KDC ]:
    Create the OpenVMS Kerberos 5 database [ Y ]:

    Creating OpenVMS Kerberos 5 database ...
    Initializing database krb$root:[krb5kdc]principal for realm 
    SYSTEM.ABC.XYZ.COM,
    master key name K/M@SYSTEM.ABC.XYZ.COM
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.

    Enter KDC database master key:
    Re-enter KDC database master key to verify:
    Priority: info
    No dictionary file specified, continuing without one.

    Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]:
    Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with
    password.

    Enter password for principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM":
    Re-enter password for principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM":
    Principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM" created.
    Priority: info
    No dictionary file specified, continuing without one.
    WARNING: no policy specified for SYSTEM/admin@SYSTEM.ABC.XYZ.COM;
    defaulting to no policy
    Create OpenVMS Kerberos 5 principals [ Y ]: N
    Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with
    password.
    Priority: info
    No dictionary file specified, continuing without one.
    KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption
    type Triple DES cbc mode with HMAC/sha1 added to keytab 
    WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

    KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption
    type DES cbc mode with CRC-32 added to keytab 
    WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

    Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with 
    password.
    Priority: info  No dictionary file specified, continuing without one.
    KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, 
    encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
    WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

    KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3,
    encryption type DES cbc mode with CRC-32 added to keytab 
    WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
    
    Press Return to continue ...

      Kerberos V3.2 for OpenVMS Configuration Menu

      Configuration options:

             1  -  Setup Client configuration
             2  -  Edit Client configuration

             3  -  Setup Server configuration
             4  -  Edit Server configuration

             5  -  Shutdown Servers
             6  -  Startup Servers

             E  -  Exit configuration procedure

      Enter Option: 6

    Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)...

    Starting OpenVMS Kerberos server KRB$KRB5KDC ...
    %RUN-S-PROC_ID, identification of created process is 00000060
    Starting OpenVMS Kerberos server KRB$KADMIND ...
    %RUN-S-PROC_ID, identification of created process is 00000061

    Press Return to continue ...

      Kerberos V3.2 for OpenVMS Configuration Menu

      Configuration options:

             1  -  Setup Client configuration
             2  -  Edit Client configuration

             3  -  Setup Server configuration
             4  -  Edit Server configuration

             5  -  Shutdown Servers
             6  -  Startup Servers

             E  -  Exit configuration procedure

      Enter Option: E


   4.  Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH 
   -------------------------------------------------------------

Using Kerberos with TCP/IP SSH for OpenVMS or TCP/IP Telnet for 
OpenVMS, you can authenticate your SSH or Telnet connections between 
OpenVMS systems.

An OpenVMS account and a corresponding Kerberos principal are required 
to use both "Kerberized" Telnet and SSH. For each OpenVMS user you 
create, create a Kerberos principal that exactly matches (including 
case) its OpenVMS account name. Passwords do not need to match.

To configure Kerberos to use  TCP/IP SSH for OpenVMS or  TCP/IP Telnet 
for OpenVMS, or both, perform the following steps.  Then see Section 
2.7 or Section 2.8 and follow the instructions in the section that 
applies to you.

1.  Create the principal. For the Kerberos configuration, you can use 
either DCL or UNIX-style commands to create the principal.  

The first example below shows the DCL commands. The second example 
shows the UNIX-style commands. Both styles of commands are entered on 
an OpenVMS system.

     DCL:

     $ KERBEROS/ADMIN
     KerberosAdmin> login "SYSTEM/admin"
     Enter password:
     Authenticating as principal SYSTEM/admin with password.
     KerberosAdmin> list principal
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KerberosAdmin> create principal "USER1"
     Authenticating as principal SYSTEM/admin with password.
     WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to
              no policy
     Enter password for principal "USER1@NODE1.HP.COM":
     Re-enter password for principal "USER1@NODE1.HP.COM":
     Principal "USER1@NODE1.HP.COM" created.
     KerberosAdmin> list principal
     Authenticating as principal SYSTEM/admin with password.
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM

     UNIX:

     $ kinit "SYSTEM/admin"
     Password for SYSTEM/admin@NODE1.HP.COM:
     $ kadmin
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Enter password:
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KADMIN: addprinc "USER1"
     WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting 
     to no policy
     Enter password for principal "USER1@NODE1.HP.COM":
     Re-enter password for principal "USER1@NODE1.HP.COM":
     Principal "USER1@NODE1.HP.COM" created.
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM

2.  Create the Kerberos host principals.  For the Kerberos 
configuration, you can use either DCL or UNIX-style commands to create 
the principal.  The first example below shows the DCL commands. The 
second example shows the UNIX-style commands. 

     DCL:

     KerberosAdmin> create principal/random host/node1.hp.com@NODE1.HP.COM"
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal "host/node1.hp.com@NODE1.HP.COM" created.
     KerberosAdmin> create principal/random "host/node1@NODE1.HP.COM"
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal "host/node1@NODE1.HP.COM" created.     
     KerberosAdmin> list principal
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     host/node1.hp.com@NODE1.HP.COM
     host/node1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KerberosAdmin> create keytab "host/node1.hp.com@NODE1.HP.COM"
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.
     KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
     KerberosAdmin> create keytab "host/node1@NODE1.HP.COM" 
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.

     KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.

     KerberosAdmin> list keytab
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode
     with HMAC/sha1)
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode 
     with CRC-32)
     host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     KerberosAdmin> exit
     $

     UNIX:

     KADMIN: addprinc -randkey "host/node1.hp.com@NODE1.HP.COM"
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal "host/node1.hp.com@NODE1.HP.COM" created.
     KADMIN: addprinc -randkey "host/node1@NODE1.HP.COM"
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal "host/node1@NODE1.HP.COM" created.
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     host/node1.hp.com@NODE1.HP.COM
     host/node1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KADMIN: ktadd "host/node1.hp.com@NODE1.HP.COM"
     KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.

     KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
     KADMIN: ktadd "host/node1@NODE1.HP.COM"
     KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.

     KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
     KADMIN: ktlist
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode
     with HMAC/sha1)
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with 

     CRC-32)
     host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     KADMIN: exit
     $


   Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos
   -------------------------------------------------------------
  
Using Kerberos with TCP/IP SSH for OpenVMS, you can authenticate your 
SSH connections between OpenVMS systems.

The minimum version of TCP/IP Services for OpenVMS necessary for 
Kerberized SSH is Version 5.6.

To "Kerberize" your SSH connections, perform the following steps.

1.  Install and configure TCP/IP for OpenVMS Services Version 5.6 or 
later.

2.  Install and configure Kerberos for OpenVMS.  

If you have already installed OpenVMS Version 7.3-2 or later, 
Kerberos is part of the OpenVMS installation procedure.  If you have 
an earlier version of OpenVMS installed, you can download the Kerberos 
for OpenVMS PCSI kit from the Kerberos web site at 
http://h71000.www7.hp.com/openvms/products/kerberos/

3.  Shut down Kerberos, if it is running, by entering the following 
command:

$ @SYS$STARTUP:KRB$SHUTDOWN

4.  Configure TCP/IP Services for OpenVMS by entering the following 
command: 

$ @SYS$STARTUP:TCPIP$CONFIG

5.  Select #2, Client components, from the TCP/IP Configuration Menu:

HP TCP/IP Services for OpenVMS Configuration Menu

Configuration options:

  1  -  Core environment
  2  -  Client components
  3  -  Server components
  4  -  Optional components

  5  -  Shutdown HP TCP/IP Services for OpenVMS
  6  -  Startup HP TCP/IP Services for OpenVMS
  7  -  Run tests

  A  -  Configure options 1 - 4
 [E] -  Exit configuration procedure

Enter configuration option: 2

6.  Ensure that the SSH Client and Server services are enabled. Select 
#7, SSH Client, from the TCP/IP Configuration Menu:

HP TCP/IP Services for OpenVMS Client Components Configuration Menu

Configuration options:

         1  -  DHCP Client      Disabled Stopped
         2  -  FTP Client       Enabled  Started
         3  -  NFS Client       Disabled Stopped
         4  -  REXEC and RSH    Enabled  Started
         5  -  RLOGIN           Enabled  Started
         6  -  SMTP             Disabled Stopped
         7  -  SSH Client       Disabled Stopped
         8  -  TELNET           Enabled  Started
         9  -  TELNETSYM        Disabled Stopped

         A  -  Configure options 1 - 9
        [E] -  Exit menu

Enter configuration option: 7

7.  Select #2, Enable service on this node, from the TCP/IP 
Configuration Menu. Type YES when it asks if you want to configure the 
SSH SERVER. If SSH is already enabled, skip to step 9.

SSH CLIENT configuration options:

         1 - Enable service on all nodes
         2 - Enable service on this node

         3 - Stop service on this node

        [E] - Exit SSH_CLIENT configuration

Enter configuration option: 2

The SSH SERVER is enabled.

* Do you want to configure SSH SERVER [NO]: YES

8.  Select #2, Enable Service on this node, from the TCP/IP 
Configuration Menu.  Press return to select the default or type YES to 
create a new default server host key.

SSH configuration options:

         1 - Enable service on all nodes
         2 - Enable service on this node

         3 - Stop service on this node

        [E] - Exit SSH configuration

Enter configuration option: 2

* Create a new default server host key? [YES]: YES
Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY
Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB

9.  Select Exit twice to exit from each submenu of the TCP/IP 
Configuration Menu. 

10.  If the system asks if you want to start SSH now, answer NO. 

The following services are enabled but not started:

 SSH, SSH_CLIENT

 * Start these services now? [N] NO

 You may start services individually with:

 @SYS$STARTUP:TCPIP$<service>_STARTUP.COM

11.  If SSH is not already running, manually start the SSH client and 
server by entering the following commands:

$ @SYS$STARTUP:TCPIP$SSH_STARTUP.COM
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSHD2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP-SERVER2.EXE installed
%TCPIP-I-INFO, logical names created
%TCPIP-I-INFO, service enabled
%TCPIP-S-STARTDONE, TCPIP$SSH startup completed

$ @SYS$STARTUP:TCPIP$ssh_client_STARTUP.COM
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SCP2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP2.EXE installed 
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-SIGNER2.EXE installed
%TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH2.EXE installed
%TCPIP-I-INFO, logical names created
%TCPIP-S-STARTDONE, TCPIP$SSH_CLIENT startup completed

12.  Start Kerberos by entering the following command:

$ @SYS$STARTUP:KRB$STARTUP

13.  Verify that the SSH service is enabled by entering the following 
command:

$ TPCIP SHOW SERV

Service         Port  Proto    Process          Address        State

FTP               21  TCP      TCPIP$FTP        0.0.0.0        Enabled
REXEC            512  TCP      TCPIP$REXEC      0.0.0.0        Enabled
RLOGIN           513  TCP      not defined      0.0.0.0        Enabled
RSH              514  TCP      TCPIP$RSH        0.0.0.0        Enabled
SSH               22  TCP      TCPIP$SSH        0.0.0.0        Enabled
TELNET            23  TCP      not defined      0.0.0.0        Enabled

14.  Modify the following SSH configuration files to enable the 
Kerberos authentication methods:

SYS$SYSDEVICE:[000000.TCPIP$SSH.SSH2]
        SSH2_CONFIG.           (SSH client)
        SSHD2_CONFIG.          (SSH server)

In each file, under the 'Authentication' section, you must add the 
Kerberos authentication methods you would like to use.  Following is 
an example that uses all three methods, plus the regular methods.  
Make sure you indent and space as the example in the file shows:

AllowedAuthentications      gssapi-with-mic, kerberos-2@ssh.com,
                            kerberos-tgt-2@ssh.com, publickey,
                            password, hostbased

You should only have one AllowedAuthentications line uncommented.  If 
there are others that are uncommented, comment them out with a # sign 
as shown below:

#   AllowedAuthentications       publickey, keyboard-interactive, 
password

15.  Add the following lines to SYS$MANAGER:SYSTARTUP_VMS.COM to 
install the 32-bit Kerberos images at boot time.  They are needed for 
the Kerberos-based functionality with SSH:

$ INSTALL CREATE SYS$SHARE:KRB$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARED
$ INSTALL CREATE SYS$SHARE:GSS$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARE

16.  If you are using TCP/IP Version 5.6 and Kerberos Version 2.1 and 
want to use the gssapi-with-mic authentication method with SSH, you 
must define the  following system logical:

$ DEFINE/SYSTEM TCPIP$SSH_KRBRTL_HACK 1

17.  Set up the Kerberos symbols, if you have not already done so. Add 
the following command to the SYS$MANAGER:SYLOGIN.COM file.

$ @SYS$MANAGER:KRB$SYMBOLS

The following steps should be performed by each user who will use 
Kerberized SSH.

A.  Log into the OpenVMS system.

Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3

Username: user1
Password:

B.  Perform a kinit with the principal name that matches the OpenVMS  
username. To do so, enter one of the following commands at the DCL 
prompt each time you start a Kerberized application, such as TCP/IP 
Services for OpenVMS SSH. You are then prompted for the password 
associated with the principal. (The -f is required for the 
kerberos-tgt-2 authentication method.)

$ kinit -f "USER1"
password for user1@NODE1.HP.COM

$ kinit "USER1"
password for user1@NODE1.HP.COM

C.  Enter the SSH command specifying the Kerberos authentication 
method to use and the hostname as follows:

$ ssh -o"AllowedAuthentications gssapi-with-mic" node1
Authentication successful.

Welcome to OpenVMS (TM) Operating System, Version 8.3

$ ssh -o"AllowedAuthentications kerberos-2@ssh.com" node1
Authentication successful.

Welcome to OpenVMS (TM)  Operating System, Version 8.3

$ ssh -o"AllowedAuthentications kerberos-tgt-2@ssh.com" node1
Authentication successful.

Welcome to OpenVMS (TM) Operating System, Version 8.3

$

D.  See the HP TCP/IP Services for OpenVMS Guide to SSH for more 
information about configuring SSH and troubleshooting.


   Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos
   -------------------------------------------------------------

Using Kerberos with TCP/IP KTELNET for OpenVMS, you can authenticate 
your Telnet connections between OpenVMS systems.

To "Kerberize" your Telnet connections, perform the following steps.
1.  Install and configure TCP/IP for OpenVMS Services Version 5.3 or 
later.

2.  Install and configure Kerberos for OpenVMS. If you have already 
installed OpenVMS Version 7.3-2 or later, Kerberos is part of the 
OpenVMS installation procedure.  

3.  Shut down Kerberos, if it is running, by entering the following 
command:

$ SYS$STARTUP:KRB$SHUTDOWN

4.  Configure TCP/IP Services for OpenVMS by entering the following 
command:

$ @SYS$STARTUP:TCPIP$CONFIG

5.  Select #2, Client components, from the TCP/IP Configuration Menu:

     HP TCP/IP Services for OpenVMS Configuration Menu

     Configuration options:

          1  -  Core environment
          2  -  Client components
          3  -  Server components
          4  -  Optional components

          5  -  Shutdown HP TCP/IP Services for OpenVMS
          6  -  Startup HP TCP/IP Services for OpenVMS
          7  -  Run tests

          A  -  Configure options 1 - 4
         [E] -  Exit configuration procedure

     Enter configuration option: 2

6.  Ensure that the Telnet service is stopped. If Telnet is already 
stopped, skip to step 8. If Telnet is not currently stopped, select 
#8, Telnet, from the TCP/IP  Configuration Menu:

     HP TCP/IP Services for OpenVMS Client Components Configuration Menu

     Configuration options:

                 1  -  DHCP Client      Disabled Stopped
                 2  -  FTP Client       Enabled  Started
                 3  -  NFS Client       Disabled Stopped
                 4  -  REXEC and RSH    Enabled  Started
                 5  -  RLOGIN           Enabled  Started
                 6  -  SMTP             Disabled Stopped
                 7  -  SSH Client       Enabled  Started
                 8  -  TELNET           Enabled  Started
                 9  -  TELNETSYM        Disabled Stopped

                 A  -  Configure options 1 - 9
                [E] -  Exit menu

     Enter configuration option: 8

NOTE:  You must stop the Telnet service before you can begin to 
configure Kerberized Telnet.  Stopping the Telnet service disconnects 
current Telnet sessions.

7.  Select #3, Stop service on this node, from the TCP/IP 
Configuration Menu:

     TELNET configuration options:

                 1 - Enable service on all nodes
                 2 - Enable service on this node

                 3 - Stop service on this node

                [E] - Exit TELNET configuration

     Enter configuration option: 3

8.  Select [E], Exit menu, from the TCP/IP Configuration Menu:

     Configuration options:

                 1  -  DHCP Client      Disabled Stopped
                 2  -  FTP Client       Enabled  Started
                 3  -  NFS Client       Disabled Stopped
                 4  -  REXEC and RSH    Enabled  Started
                 5  -  RLOGIN           Enabled  Started
                 6  -  SMTP             Disabled Stopped
                 7  -  SSH Client       Enabled  Started
                 8  -  TELNET           Enabled  Stopped
                 9  -  TELNETSYM        Disabled Stopped

                 A  -  Configure options 1 - 9
                [E] -  Exit menu

     Enter configuration option: E

9.  Select #4, Optional components, from the TCP/IP Configuration Menu:

      HP TCP/IP Services for OpenVMS Configuration Menu

      Configuration options:

          1  -  Core environment
          2  -  Client components
          3  -  Server components
          4  -  Optional components

          5  -  Shutdown HP TCP/IP Services for OpenVMS
          6  -  Startup HP TCP/IP Services for OpenVMS
          7  -  Run tests

          A  -  Configure options 1 - 4
         [E] -  Exit configuration procedure

     Enter configuration option: 4

10.  Select #4, Configure Kerberos Applications, from the TCP/IP 
Configuration Menu:

      HP TCP/IP Services for OpenVMS Optional Components Configuration Menu

      Configuration options:

          1  -  Configure PWIP Driver (for DECnet-Plus and PATHWORKS)
          2  -  Configure SRI QIO Interface (INET Driver)
          3  -  Set up Anonymous FTP Account and Directories
          4  -  Configure Kerberos Applications
          5  -  Configure failSAFE IP

          A  -  Configure options 1 - 5
         [E] -  Exit menu

     Enter configuration option: 4

11.  Select #1, Add Kerberos for TELNET server, from the TCP/IP 
Configuration Menu:

      Kerberos Applications Configuration Menu

      TELNET Kerberos is not defined in the TCPIP$SERVICE database.

      Configuration options:

               1  -  Add Kerberos for TELNET server
               2  -  Remove Kerberos for TELNET server

              [E] -  Exit menu

     Enter configuration option: 1

12.  Select Exit three times to exit from the submenus of the TCP/IP
     Configuration Menu.

13.  If the system asks if you want to start Telnet now, answer NO.

         The following services are enabled but not started:

         TELNET

         Start these services now? [N] NO

         You may start services individually with:

         @SYS$STARTUP:TCPIP$<service>_STARTUP.COM

14.  Manually start Telnet by entering the following command:

      $ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM

      %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed
      %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed
      %TCPIP-I-INFO, logical names created
      %TCPIP-I-INFO, telnet service enabled
      %TCPIP-I-INFO, telnet (kerberos) service enabled
      %TCPIP-S-STARTDONE, TCPIP$TELNET startup completed

15.  Start Kerberos by entering the following command:

     $ @SYS$STARTUP:KRB$STARTUP

16.  Verify that the Kerberos Telnet (KTELNET) service is enabled by 
entering the following command. (If KTELNET is disabled, you can 
enable it using the $ TCPIP ENABLE SERVICE KTELNET command.)

      $ TPCIP SHOW SERV

      Service         Port  Proto    Process          Address        State

      FTP               21  TCP      TCPIP$FTP        0.0.0.0        Enabled
      KTELNET         2323  TCP      TCPIP$TELNET     0.0.0.0        Enabled
      REXEC            512  TCP      TCPIP$REXEC      0.0.0.0        Enabled
      RLOGIN           513  TCP      not defined      0.0.0.0        Enabled
      RSH              514  TCP      TCPIP$RSH        0.0.0.0        Enabled
      SSH               22  TCP      TCPIP$SSH        0.0.0.0        Enabled
      TELNET            23  TCP      not defined      0.0.0.0        Enabled

17.  Set up the Kerberos symbols, if you have not already done so. Add 
the following command to the SYS$MANAGER:SYLOGIN.COM file.

     $ @SYS$MANAGER:KRB$SYMBOLS

The following steps should be performed by each user who will user 
Kerberized Telnet.

A.  Log into the OpenVMS system.

       Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3-1H1

       Username: user1
       Password:

B.  Perform a kinit with the principal name that matches the OpenVMS 
username. 

To do so, enter the following command at the DCL prompt each time you 
start a Kerberized application, such as TCP/IP Services for OpenVMS 
Telnet. You are then prompted for the password associated with the 
principal. (The -f denotes forwardable credentials.)

       $ kinit -f "USER1"
       password for user1@node1.hp.com

C.  Enter the TELNET/AUTH command specifying Kerberos port 2323 to 
start the TELNET session, as follows:

       $ kinit -f "USER1"
       $ TELNET/AUTH NODE1 2323
       TELNET-I-TRYING, Trying ... 1.2.3.4
       %TELNET-I-SESSION, Session 01, host node1, port 2323
       -TELNET-I-ESCAPE, Escape character is ^]
       [ Kerberos V5 accepts you as 
       user1.NODE1.HP.COM

D.  Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos 
port 2323 to forward credentials. (Note: Forwarding credentials to 
non-OpenVMS servers works properly, but there is currently a problem 
in forwarding credentials to OpenVMS servers. This will be corrected 
in a future TCP/IP Services for OpenVMS ECO kit.)

       $ TELNET/AUTH/FORW NODE1 2323
       TELNET-I-TRYING, Trying ... 1.2.3.4
       %TELNET-I-SESSION, Session 01, host node1, port 2323
       -TELNET-I-ESCAPE, Escape character is ^]
       [Kerberos V5 accepts you as user1@NODE1.HP.COM ]
       [ Kerberos V5 refuses authentication ]

E.  If you are using Kerberized Telnet to a non-OpenVMS system, the 
default port of 23 should be specified.  Port 2323 is only used when  
contacting a Kerberized Telnet server on an OpenVMS system.  This is 
because Telnet on OpenVMS currently uses different servers for regular 
and Kerberized Telnet.


   5. Configuring and Starting the Kerberos ACME Agent
   -------------------------------------------------------------

HP OpenVMS Version 8.3-1H1 includes images for the Kerberos ACME 
agent. The Kerberos ACME agent is an addition to the existing Kerberos 
authentication provided by the Kerberos utilities.  The Kerberos ACME 
provides functionality similar to the pam_krb5 utility on UNIX systems 
using Kerberos. 

To use Kerberos with previous versions of OpenVMS, you needed to log 
in twice:  once to log in to OpenVMS itself, and once to obtain 
Kerberos credentials.  These steps worked with names and passwords. 

With the Kerberos ACME agent, you can obtain your Kerberos credentials 
as part of the OpenVMS login process.  The user authentication is 
processed against the Kerberos KDC database instead of against the 
OpenVMS User Authorization File (UAF). 

After you install and configure Kerberos Version 3.2, perform the 
following steps to configure and start the Kerberos ACME agent.

1.  Install ACME Login from a privileged account. OpenVMS Version 
8.3-1H1 includes images for ACME Login.  See the file 
SYS$HELP:ACME_DEV_README.TXT for information about installation and 
set up. 

2.  Install the Kerberos persona extension by entering the following 
commands:

   $ MCR SYSMAN 
   SYSMAN> SYS_LOADABLE ADD/LOG KERBEROS KRB$ACME_KRB_PERSONA_EXT 
   %SYSMAN-I-IMGADDED, added image KRB$ACME_KRB_PERSONA_EXT for 
    product KERBEROS

   $ @SYS$UPDATE:VMS$SYSTEM_IMAGES.COM

3.  Reboot the system.  This is required one time only, after you have 
installed the Kerberos persona extension.

4.  To start the Kerberos ACME agent automatically, edit the file 
SYS$MANAGER:ACME$START.COM to uncomment the following line:

   $! @SYS$STARTUP:KRB$STARTUP_KERBEROS_ACME

5.  Edit the file SYSTARTUP_VMS.COM to include the following command 
after all dependent software is started:

   $ SET SERVER ACME/RESTART

6.  Create an OpenVMS account with the EXTAUTH flag and default directory
and device set.
(NOTE:  After the authentication completes, Kerberos agent creates the 
ticket in the user login directory.)

7.  Create a Kerberos principal name that exactly matches (including 
case) the OpenVMS account name created in step 6.  Passwords do not 
need to match.  For the Kerberos configuration, you can use either DCL 
or UNIX-style commands to create the principal.  

The first example below shows the DCL commands. The second example 
shows the UNIX-style commands.  Both styles of commands are entered on 
an OpenVMS system.

     DCL:

     $ KERBEROS/ADMIN
     KerberosAdmin> login "SYSTEM/admin"
     Enter password:
     Authenticating as principal SYSTEM/admin with password.
     KerberosAdmin> list principal
     K/M@NODE1.DOMAIN1.COM
     SYSTEM/admin@NODE1.DOMAIN1.COM
     kadmin/admin@NODE1.DOMAIN1.COM
     kadmin/changepw@NODE1.DOMAIN1.COM
     kadmin/node1@NODE1.DOMAIN1.COM
     kadmin/history@NODE1.DOMAIN1.COM
     krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM
     KerberosAdmin> create principal "ACMEUSER"
     Authenticating as principal SYSTEM/admin with password.
     WARNING: no policy specified for ACMEUSER@NODE1.DOMAIN1.COM;
     defaulting to no policy
     Enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM":
     Re-enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM":
     Principal "ACMEUSER@NODE1.DOMAIN1.COM" created.
     KerberosAdmin> list principal
     Authenticating as principal SYSTEM/admin with password.
     K/M@NODE1.DOMAIN1.COM
     SYSTEM/admin@NODE1.DOMAIN1.COM
     ACMEUSER@NODE1.DOMAIN1.COM
     kadmin/admin@NODE1.DOMAIN1.COM
     kadmin/changepw@NODE1.DOMAIN1.COM
     kadmin/node1@NODE1.DOMAIN1.COM
     kadmin/history@NODE1.DOMAIN1.COM
     krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM

     UNIX:

     $ kinit "SYSTEM/admin"
     Password for SYSTEM/admin@NODE1.DOMAIN1.COM:
     $ kadmin
     Authenticating as principal SYSTEM/admin@NODE1.DOMAIN1.COM 
     with password.
     Enter password:
     KADMIN: listprincs
     K/M@NODE1.DOMAIN1.COM
     SYSTEM/admin@NODE1.DOMAIN1.COM
     kadmin/admin@NODE1.DOMAIN1.COM
     kadmin/changepw@NODE1.DOMAIN1.COM
     kadmin/node1@NODE1.DOMAIN1.COM
     kadmin/history@NODE1.DOMAIN1.COM
     krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM
     KADMIN: addprinc "ACMEUSER"
     WARNING: no policy specified for ACMEUSER@NODE1.DOMAIN1.COM;
     defaulting to no policy
     Enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM":
     Re-enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM":
     Principal "ACMEUSER@NODE1.DOMAIN1.COM" created.
     KADMIN: listprincs
     K/M@NODE1.DOMAIN1.COM
     SYSTEM/admin@NODE1.DOMAIN1.COM
     USER1@NODE1.DOMAIN1.COM
     kadmin/admin@NODE1.DOMAIN1.COM
     kadmin/changepw@NODE1.DOMAIN1.COM
     kadmin/node1@NODE1.DOMAIN1.COM
     kadmin/history@NODE1.DOMAIN1.COM
     krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM

8.  SET HOST or Telnet to the system on which you installed the ACME 
Agent and the Kerberos persona extension in steps 1 and 2.  Enter one 
of the following commands:

$ TELNET NODE1

or 

$ SET HOST NODE1

9.  Enter the username and password.  You must enclose the username in 
quotes so that the case of the username is preserved.  For example:

 Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3-1H1

       Username: "ACMEUSER"
       Password:         
       
       **** Logon Message from ACME_KRB_DOI ACME Agent ***

The logon message indicates that you successfully obtained your 
Kerberos credentials as part of the OpenVMS login process.

-------------------------------------------------------------

