Kerberos for HP OpenVMS Version 3.2 Installation and Configuration Guide April 2011 Contents: 1. Prerequisites 2. Downloading the Kit Secure Delivery and Kerberos 3. Installing and Configuring Kerberos on OpenVMS Integrity servers and Alpha 8.2 and Later - Configure HP TCP/IP Services for OpenVMS to Change Hostname Definition to Fully Qualfied Domain Name - Configuring Kerberos for OpenVMS on OpenVMS 8.2 or Later 4. Configuring Kerberos for Telnet and SSH - Configuring TCP/IP Services for OpenVMS SSH with Kerberos - Configuring TCP/IP Services for OpenVMS Telnet with Kerberos 5. Configuring and Starting the Kerberos ACME Agent ------------------------------------------------------------- This document contains information about installing and configuring Kerberos for OpenVMS. For the latest documentation for the current version of Kerberos for OpenVMS, see the Kerberos for OpenVMS web site at: http://h71000.www7.hp.com/openvms/products/kerberos/ 1. Prerequisites ------------------------------------------------------------- Operating System HP OpenVMS Industry Standard 64 Version 8.3 or later, or HP OpenVMS Alpha Version 8.3 or later TCP/IP Transport HP TCP/IP Services for OpenVMS Version 5.6 or later (for Kerberos on OpenVMS Integrity servers and OpenVMS Alpha Version 8.3 or later) If you are running a third-party TCP/IP network product such as MultiNet or TCPware from Process Software Corporation, contact your provider about running Kerberos Version 3.2 with their TCP/IP network product. 2. Downloading the Kit ------------------------------------------------------------- Kerberos Version 3.2 is included in the OpenVMS Version 8.3-1H1 operating system distribution media. If you are running OpenVMS Version 8.3, you can download and install Kerberos Version 3.2. To download the Kerberos kit from the OpenVMS web site, fill out and submit the Kerberos for OpenVMS registration form at the following URL: http://h71000.www7.hp.com/openvms/products/kerberos/ Secure Delivery and Kerberos ------------------------------------------------------------- The Kerberos for OpenVMS kit is a self-extracting executable file containing a compressed .PCSI file and an associated encrypted, signed manifest (.*_ESW) file. If you copy the Kerberos kit to another location, keep the Kerberos kit and manifest file in the same directory. If you are installing Kerberos on a version of OpenVMS earlier than Version 8.3, the manifest is ignored. 3. Installing and Configuring Kerberos on OpenVMS Version 8.2 or later ------------------------------------------------------------- Kerberos is automatically installed during the installation of OpenVMS Version 8.3 or later, or during an upgrade from a previous version of OpenVMS to Version 8.3 or later. Configure HP TCP/IP Services for OpenVMS to Change Hostname Definition to Fully Qualfied Domain Name ------------------------------------------------------------- Before configuring or starting Kerberos, check the HP TCP/IP Services for OpenVMS Local Host Database to determine whether your hostname definition is the short name (for example, node1) or the Fully Qualified Domain Name (FQDN) (for example, node1.hp.com). If your hostname definition is the short name, you must run TCPIP$CONFIG to change the definition to the fully qualified name. (If your hostname definition is the FQDN, continue to Configuring Kerberos for OpenVMS on OpenVMS Version 8.2 or later.) Configuring Kerberos for OpenVMS on OpenVMS 8.2 or later ------------------------------------------------------------- If you have not previously configured an earlier version of Kerberos on your system, you must run the configuration program before starting Kerberos. If you are reconfiguring Kerberos on a system on which Kerberos was previously configured, you must enter the kdestroy command before you run the configuration command procedure SYS$STARTUP:KRB$CONFIGURE.COM. The kdestroy command is defined in KRB$SYMBOLS.COM. After you have a valid configuration, start Kerberos with the following command: $ @SYS$STARTUP:KRB$STARTUP.COM Example 1 shows a configuration log. Kerberos Configuration Log on OpenVMS $ @SYS$STARTUP:KRB$CONFIGURE Kerberos V3.2 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 1 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]: Press Return to continue ... Kerberos V3.2 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 3 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]: The type of roles the KDC can perform are: NO_KDC -- where the KDC will not be run SINGLE_KDC -- where the KDC is the only one in the realm MASTER_KDC -- where the KDC is the master of 1 or more other KDCs SLAVE_KDC -- where the KDC is slave to another KDC What will be the KDC’s role on this node [ SINGLE_KDC ]: Create the OpenVMS Kerberos 5 database [ Y ]: Creating OpenVMS Kerberos 5 database ... Initializing database krb$root:[krb5kdc]principal for realm SYSTEM.ABC.XYZ.COM, master key name K/M@SYSTEM.ABC.XYZ.COM You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Priority: info No dictionary file specified, continuing without one. Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]: Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password. Enter password for principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM": Re-enter password for principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM": Principal "SYSTEM/admin@SYSTEM.ABC.XYZ.COM" created. Priority: info No dictionary file specified, continuing without one. WARNING: no policy specified for SYSTEM/admin@SYSTEM.ABC.XYZ.COM; defaulting to no policy Create OpenVMS Kerberos 5 principals [ Y ]: N Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Press Return to continue ... Kerberos V3.2 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 6 Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000060 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 00000061 Press Return to continue ... Kerberos V3.2 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: E 4. Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH ------------------------------------------------------------- Using Kerberos with TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, you can authenticate your SSH or Telnet connections between OpenVMS systems. An OpenVMS account and a corresponding Kerberos principal are required to use both "Kerberized" Telnet and SSH. For each OpenVMS user you create, create a Kerberos principal that exactly matches (including case) its OpenVMS account name. Passwords do not need to match. To configure Kerberos to use TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, or both, perform the following steps. Then see Section 2.7 or Section 2.8 and follow the instructions in the section that applies to you. 1. Create the principal. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system. DCL: $ KERBEROS/ADMIN KerberosAdmin> login "SYSTEM/admin" Enter password: Authenticating as principal SYSTEM/admin with password. KerberosAdmin> list principal K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KerberosAdmin> create principal "USER1" Authenticating as principal SYSTEM/admin with password. WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy Enter password for principal "USER1@NODE1.HP.COM": Re-enter password for principal "USER1@NODE1.HP.COM": Principal "USER1@NODE1.HP.COM" created. KerberosAdmin> list principal Authenticating as principal SYSTEM/admin with password. K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM UNIX: $ kinit "SYSTEM/admin" Password for SYSTEM/admin@NODE1.HP.COM: $ kadmin Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Enter password: KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KADMIN: addprinc "USER1" WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy Enter password for principal "USER1@NODE1.HP.COM": Re-enter password for principal "USER1@NODE1.HP.COM": Principal "USER1@NODE1.HP.COM" created. KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/node1@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM 2. Create the Kerberos host principals. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands. DCL: KerberosAdmin> create principal/random host/node1.hp.com@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal "host/node1.hp.com@NODE1.HP.COM" created. KerberosAdmin> create principal/random "host/node1@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal "host/node1@NODE1.HP.COM" created. KerberosAdmin> list principal Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM host/node1.hp.com@NODE1.HP.COM host/node1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/history@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KerberosAdmin> create keytab "host/node1.hp.com@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> create keytab "host/node1@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> list keytab Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) KerberosAdmin> exit $ UNIX: KADMIN: addprinc -randkey "host/node1.hp.com@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal "host/node1.hp.com@NODE1.HP.COM" created. KADMIN: addprinc -randkey "host/node1@NODE1.HP.COM" Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password. Principal "host/node1@NODE1.HP.COM" created. KADMIN: listprincs K/M@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM USER1@NODE1.HP.COM host/node1.hp.com@NODE1.HP.COM host/node1@NODE1.HP.COM kadmin/admin@NODE1.HP.COM kadmin/changepw@NODE1.HP.COM kadmin/history@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM krbtgt/NODE1.HP.COM@NODE1.HP.COM KADMIN: ktadd "host/node1.hp.com@NODE1.HP.COM" KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KADMIN: ktadd "host/node1@NODE1.HP.COM" KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab WRFILE=krb$root:[etc]krb5.keytab. KADMIN: ktlist host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with HMAC/sha1) host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32) KADMIN: exit $ Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos ------------------------------------------------------------- Using Kerberos with TCP/IP SSH for OpenVMS, you can authenticate your SSH connections between OpenVMS systems. The minimum version of TCP/IP Services for OpenVMS necessary for Kerberized SSH is Version 5.6. To "Kerberize" your SSH connections, perform the following steps. 1. Install and configure TCP/IP for OpenVMS Services Version 5.6 or later. 2. Install and configure Kerberos for OpenVMS. If you have already installed OpenVMS Version 7.3-2 or later, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/ 3. Shut down Kerberos, if it is running, by entering the following command: $ @SYS$STARTUP:KRB$SHUTDOWN 4. Configure TCP/IP Services for OpenVMS by entering the following command: $ @SYS$STARTUP:TCPIP$CONFIG 5. Select #2, Client components, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 2 6. Ensure that the SSH Client and Server services are enabled. Select #7, SSH Client, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Client Components Configuration Menu Configuration options: 1 - DHCP Client Disabled Stopped 2 - FTP Client Enabled Started 3 - NFS Client Disabled Stopped 4 - REXEC and RSH Enabled Started 5 - RLOGIN Enabled Started 6 - SMTP Disabled Stopped 7 - SSH Client Disabled Stopped 8 - TELNET Enabled Started 9 - TELNETSYM Disabled Stopped A - Configure options 1 - 9 [E] - Exit menu Enter configuration option: 7 7. Select #2, Enable service on this node, from the TCP/IP Configuration Menu. Type YES when it asks if you want to configure the SSH SERVER. If SSH is already enabled, skip to step 9. SSH CLIENT configuration options: 1 - Enable service on all nodes 2 - Enable service on this node 3 - Stop service on this node [E] - Exit SSH_CLIENT configuration Enter configuration option: 2 The SSH SERVER is enabled. * Do you want to configure SSH SERVER [NO]: YES 8. Select #2, Enable Service on this node, from the TCP/IP Configuration Menu. Press return to select the default or type YES to create a new default server host key. SSH configuration options: 1 - Enable service on all nodes 2 - Enable service on this node 3 - Stop service on this node [E] - Exit SSH configuration Enter configuration option: 2 * Create a new default server host key? [YES]: YES Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB 9. Select Exit twice to exit from each submenu of the TCP/IP Configuration Menu. 10. If the system asks if you want to start SSH now, answer NO. The following services are enabled but not started: SSH, SSH_CLIENT * Start these services now? [N] NO You may start services individually with: @SYS$STARTUP:TCPIP$_STARTUP.COM 11. If SSH is not already running, manually start the SSH client and server by entering the following commands: $ @SYS$STARTUP:TCPIP$SSH_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSHD2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP-SERVER2.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-I-INFO, service enabled %TCPIP-S-STARTDONE, TCPIP$SSH startup completed $ @SYS$STARTUP:TCPIP$ssh_client_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SCP2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SFTP2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-ADD2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-AGENT2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-KEYGEN2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH-SIGNER2.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$SSH_SSH2.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-S-STARTDONE, TCPIP$SSH_CLIENT startup completed 12. Start Kerberos by entering the following command: $ @SYS$STARTUP:KRB$STARTUP 13. Verify that the SSH service is enabled by entering the following command: $ TPCIP SHOW SERV Service Port Proto Process Address State FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled RLOGIN 513 TCP not defined 0.0.0.0 Enabled RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled TELNET 23 TCP not defined 0.0.0.0 Enabled 14. Modify the following SSH configuration files to enable the Kerberos authentication methods: SYS$SYSDEVICE:[000000.TCPIP$SSH.SSH2] SSH2_CONFIG. (SSH client) SSHD2_CONFIG. (SSH server) In each file, under the 'Authentication' section, you must add the Kerberos authentication methods you would like to use. Following is an example that uses all three methods, plus the regular methods. Make sure you indent and space as the example in the file shows: AllowedAuthentications gssapi-with-mic, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, publickey, password, hostbased You should only have one AllowedAuthentications line uncommented. If there are others that are uncommented, comment them out with a # sign as shown below: # AllowedAuthentications publickey, keyboard-interactive, password 15. Add the following lines to SYS$MANAGER:SYSTARTUP_VMS.COM to install the 32-bit Kerberos images at boot time. They are needed for the Kerberos-based functionality with SSH: $ INSTALL CREATE SYS$SHARE:KRB$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARED $ INSTALL CREATE SYS$SHARE:GSS$RTL32.EXE/OPEN/HEADER_RESIDENT/SHARE 16. If you are using TCP/IP Version 5.6 and Kerberos Version 2.1 and want to use the gssapi-with-mic authentication method with SSH, you must define the following system logical: $ DEFINE/SYSTEM TCPIP$SSH_KRBRTL_HACK 1 17. Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file. $ @SYS$MANAGER:KRB$SYMBOLS The following steps should be performed by each user who will use Kerberized SSH. A. Log into the OpenVMS system. Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3 Username: user1 Password: B. Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter one of the following commands at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS SSH. You are then prompted for the password associated with the principal. (The -f is required for the kerberos-tgt-2 authentication method.) $ kinit -f "USER1" password for user1@NODE1.HP.COM $ kinit "USER1" password for user1@NODE1.HP.COM C. Enter the SSH command specifying the Kerberos authentication method to use and the hostname as follows: $ ssh -o"AllowedAuthentications gssapi-with-mic" node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $ ssh -o"AllowedAuthentications kerberos-2@ssh.com" node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $ ssh -o"AllowedAuthentications kerberos-tgt-2@ssh.com" node1 Authentication successful. Welcome to OpenVMS (TM) Operating System, Version 8.3 $ D. See the HP TCP/IP Services for OpenVMS Guide to SSH for more information about configuring SSH and troubleshooting. Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos ------------------------------------------------------------- Using Kerberos with TCP/IP KTELNET for OpenVMS, you can authenticate your Telnet connections between OpenVMS systems. To "Kerberize" your Telnet connections, perform the following steps. 1. Install and configure TCP/IP for OpenVMS Services Version 5.3 or later. 2. Install and configure Kerberos for OpenVMS. If you have already installed OpenVMS Version 7.3-2 or later, Kerberos is part of the OpenVMS installation procedure. 3. Shut down Kerberos, if it is running, by entering the following command: $ SYS$STARTUP:KRB$SHUTDOWN 4. Configure TCP/IP Services for OpenVMS by entering the following command: $ @SYS$STARTUP:TCPIP$CONFIG 5. Select #2, Client components, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 2 6. Ensure that the Telnet service is stopped. If Telnet is already stopped, skip to step 8. If Telnet is not currently stopped, select #8, Telnet, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Client Components Configuration Menu Configuration options: 1 - DHCP Client Disabled Stopped 2 - FTP Client Enabled Started 3 - NFS Client Disabled Stopped 4 - REXEC and RSH Enabled Started 5 - RLOGIN Enabled Started 6 - SMTP Disabled Stopped 7 - SSH Client Enabled Started 8 - TELNET Enabled Started 9 - TELNETSYM Disabled Stopped A - Configure options 1 - 9 [E] - Exit menu Enter configuration option: 8 NOTE: You must stop the Telnet service before you can begin to configure Kerberized Telnet. Stopping the Telnet service disconnects current Telnet sessions. 7. Select #3, Stop service on this node, from the TCP/IP Configuration Menu: TELNET configuration options: 1 - Enable service on all nodes 2 - Enable service on this node 3 - Stop service on this node [E] - Exit TELNET configuration Enter configuration option: 3 8. Select [E], Exit menu, from the TCP/IP Configuration Menu: Configuration options: 1 - DHCP Client Disabled Stopped 2 - FTP Client Enabled Started 3 - NFS Client Disabled Stopped 4 - REXEC and RSH Enabled Started 5 - RLOGIN Enabled Started 6 - SMTP Disabled Stopped 7 - SSH Client Enabled Started 8 - TELNET Enabled Stopped 9 - TELNETSYM Disabled Stopped A - Configure options 1 - 9 [E] - Exit menu Enter configuration option: E 9. Select #4, Optional components, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 4 10. Select #4, Configure Kerberos Applications, from the TCP/IP Configuration Menu: HP TCP/IP Services for OpenVMS Optional Components Configuration Menu Configuration options: 1 - Configure PWIP Driver (for DECnet-Plus and PATHWORKS) 2 - Configure SRI QIO Interface (INET Driver) 3 - Set up Anonymous FTP Account and Directories 4 - Configure Kerberos Applications 5 - Configure failSAFE IP A - Configure options 1 - 5 [E] - Exit menu Enter configuration option: 4 11. Select #1, Add Kerberos for TELNET server, from the TCP/IP Configuration Menu: Kerberos Applications Configuration Menu TELNET Kerberos is not defined in the TCPIP$SERVICE database. Configuration options: 1 - Add Kerberos for TELNET server 2 - Remove Kerberos for TELNET server [E] - Exit menu Enter configuration option: 1 12. Select Exit three times to exit from the submenus of the TCP/IP Configuration Menu. 13. If the system asks if you want to start Telnet now, answer NO. The following services are enabled but not started: TELNET Start these services now? [N] NO You may start services individually with: @SYS$STARTUP:TCPIP$_STARTUP.COM 14. Manually start Telnet by entering the following command: $ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-I-INFO, telnet service enabled %TCPIP-I-INFO, telnet (kerberos) service enabled %TCPIP-S-STARTDONE, TCPIP$TELNET startup completed 15. Start Kerberos by entering the following command: $ @SYS$STARTUP:KRB$STARTUP 16. Verify that the Kerberos Telnet (KTELNET) service is enabled by entering the following command. (If KTELNET is disabled, you can enable it using the $ TCPIP ENABLE SERVICE KTELNET command.) $ TPCIP SHOW SERV Service Port Proto Process Address State FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled KTELNET 2323 TCP TCPIP$TELNET 0.0.0.0 Enabled REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled RLOGIN 513 TCP not defined 0.0.0.0 Enabled RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled SSH 22 TCP TCPIP$SSH 0.0.0.0 Enabled TELNET 23 TCP not defined 0.0.0.0 Enabled 17. Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file. $ @SYS$MANAGER:KRB$SYMBOLS The following steps should be performed by each user who will user Kerberized Telnet. A. Log into the OpenVMS system. Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3-1H1 Username: user1 Password: B. Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter the following command at the DCL prompt each time you start a Kerberized application, such as TCP/IP Services for OpenVMS Telnet. You are then prompted for the password associated with the principal. (The -f denotes forwardable credentials.) $ kinit -f "USER1" password for user1@node1.hp.com C. Enter the TELNET/AUTH command specifying Kerberos port 2323 to start the TELNET session, as follows: $ kinit -f "USER1" $ TELNET/AUTH NODE1 2323 TELNET-I-TRYING, Trying ... 1.2.3.4 %TELNET-I-SESSION, Session 01, host node1, port 2323 -TELNET-I-ESCAPE, Escape character is ^] [ Kerberos V5 accepts you as user1.NODE1.HP.COM D. Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos port 2323 to forward credentials. (Note: Forwarding credentials to non-OpenVMS servers works properly, but there is currently a problem in forwarding credentials to OpenVMS servers. This will be corrected in a future TCP/IP Services for OpenVMS ECO kit.) $ TELNET/AUTH/FORW NODE1 2323 TELNET-I-TRYING, Trying ... 1.2.3.4 %TELNET-I-SESSION, Session 01, host node1, port 2323 -TELNET-I-ESCAPE, Escape character is ^] [Kerberos V5 accepts you as user1@NODE1.HP.COM ] [ Kerberos V5 refuses authentication ] E. If you are using Kerberized Telnet to a non-OpenVMS system, the default port of 23 should be specified. Port 2323 is only used when contacting a Kerberized Telnet server on an OpenVMS system. This is because Telnet on OpenVMS currently uses different servers for regular and Kerberized Telnet. 5. Configuring and Starting the Kerberos ACME Agent ------------------------------------------------------------- HP OpenVMS Version 8.3-1H1 includes images for the Kerberos ACME agent. The Kerberos ACME agent is an addition to the existing Kerberos authentication provided by the Kerberos utilities. The Kerberos ACME provides functionality similar to the pam_krb5 utility on UNIX systems using Kerberos. To use Kerberos with previous versions of OpenVMS, you needed to log in twice: once to log in to OpenVMS itself, and once to obtain Kerberos credentials. These steps worked with names and passwords. With the Kerberos ACME agent, you can obtain your Kerberos credentials as part of the OpenVMS login process. The user authentication is processed against the Kerberos KDC database instead of against the OpenVMS User Authorization File (UAF). After you install and configure Kerberos Version 3.2, perform the following steps to configure and start the Kerberos ACME agent. 1. Install ACME Login from a privileged account. OpenVMS Version 8.3-1H1 includes images for ACME Login. See the file SYS$HELP:ACME_DEV_README.TXT for information about installation and set up. 2. Install the Kerberos persona extension by entering the following commands: $ MCR SYSMAN SYSMAN> SYS_LOADABLE ADD/LOG KERBEROS KRB$ACME_KRB_PERSONA_EXT %SYSMAN-I-IMGADDED, added image KRB$ACME_KRB_PERSONA_EXT for product KERBEROS $ @SYS$UPDATE:VMS$SYSTEM_IMAGES.COM 3. Reboot the system. This is required one time only, after you have installed the Kerberos persona extension. 4. To start the Kerberos ACME agent automatically, edit the file SYS$MANAGER:ACME$START.COM to uncomment the following line: $! @SYS$STARTUP:KRB$STARTUP_KERBEROS_ACME 5. Edit the file SYSTARTUP_VMS.COM to include the following command after all dependent software is started: $ SET SERVER ACME/RESTART 6. Create an OpenVMS account with the EXTAUTH flag and default directory and device set. (NOTE: After the authentication completes, Kerberos agent creates the ticket in the user login directory.) 7. Create a Kerberos principal name that exactly matches (including case) the OpenVMS account name created in step 6. Passwords do not need to match. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system. DCL: $ KERBEROS/ADMIN KerberosAdmin> login "SYSTEM/admin" Enter password: Authenticating as principal SYSTEM/admin with password. KerberosAdmin> list principal K/M@NODE1.DOMAIN1.COM SYSTEM/admin@NODE1.DOMAIN1.COM kadmin/admin@NODE1.DOMAIN1.COM kadmin/changepw@NODE1.DOMAIN1.COM kadmin/node1@NODE1.DOMAIN1.COM kadmin/history@NODE1.DOMAIN1.COM krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM KerberosAdmin> create principal "ACMEUSER" Authenticating as principal SYSTEM/admin with password. WARNING: no policy specified for ACMEUSER@NODE1.DOMAIN1.COM; defaulting to no policy Enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM": Re-enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM": Principal "ACMEUSER@NODE1.DOMAIN1.COM" created. KerberosAdmin> list principal Authenticating as principal SYSTEM/admin with password. K/M@NODE1.DOMAIN1.COM SYSTEM/admin@NODE1.DOMAIN1.COM ACMEUSER@NODE1.DOMAIN1.COM kadmin/admin@NODE1.DOMAIN1.COM kadmin/changepw@NODE1.DOMAIN1.COM kadmin/node1@NODE1.DOMAIN1.COM kadmin/history@NODE1.DOMAIN1.COM krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM UNIX: $ kinit "SYSTEM/admin" Password for SYSTEM/admin@NODE1.DOMAIN1.COM: $ kadmin Authenticating as principal SYSTEM/admin@NODE1.DOMAIN1.COM with password. Enter password: KADMIN: listprincs K/M@NODE1.DOMAIN1.COM SYSTEM/admin@NODE1.DOMAIN1.COM kadmin/admin@NODE1.DOMAIN1.COM kadmin/changepw@NODE1.DOMAIN1.COM kadmin/node1@NODE1.DOMAIN1.COM kadmin/history@NODE1.DOMAIN1.COM krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM KADMIN: addprinc "ACMEUSER" WARNING: no policy specified for ACMEUSER@NODE1.DOMAIN1.COM; defaulting to no policy Enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM": Re-enter password for principal "ACMEUSER@NODE1.DOMAIN1.COM": Principal "ACMEUSER@NODE1.DOMAIN1.COM" created. KADMIN: listprincs K/M@NODE1.DOMAIN1.COM SYSTEM/admin@NODE1.DOMAIN1.COM USER1@NODE1.DOMAIN1.COM kadmin/admin@NODE1.DOMAIN1.COM kadmin/changepw@NODE1.DOMAIN1.COM kadmin/node1@NODE1.DOMAIN1.COM kadmin/history@NODE1.DOMAIN1.COM krbtgt/NODE1.DOMAIN1.COM@NODE1.DOMAIN1.COM 8. SET HOST or Telnet to the system on which you installed the ACME Agent and the Kerberos persona extension in steps 1 and 2. Enter one of the following commands: $ TELNET NODE1 or $ SET HOST NODE1 9. Enter the username and password. You must enclose the username in quotes so that the case of the username is preserved. For example: Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3-1H1 Username: "ACMEUSER" Password: **** Logon Message from ACME_KRB_DOI ACME Agent *** The logon message indicates that you successfully obtained your Kerberos credentials as part of the OpenVMS login process. -------------------------------------------------------------