Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH

Using Kerberos with TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, you can authenticate your SSH or Telnet connections between OpenVMS systems.

An OpenVMS account and a corresponding Kerberos principal are required to use both “Kerberized” Telnet and SSH. For each OpenVMS user you create, create a Kerberos principal that exactly matches (including case) its OpenVMS account name. Passwords do not need to match.

To configure Kerberos to use TCP/IP SSH for OpenVMS or TCP/IP Telnet for OpenVMS, or both, perform the following steps. Then see “Configuring HP TCP/IP Services for OpenVMS SSH with Kerberos”, or “Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos” and follow the instructions in the section that applies to you.

Create the principal. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal.

The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system.

     DCL:
 
     $ KERBEROS/ADMIN
     KerberosAdmin> login “SYSTEM/admin”
     Enter password:
     Authenticating as principal SYSTEM/admin with password.
     KerberosAdmin> list principal
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KerberosAdmin> create principal “USER1”
     Authenticating as principal SYSTEM/admin with password.
     WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to
              no policy
     Enter password for principal “USER1@NODE1.HP.COM”:
     Re-enter password for principal “USER1@NODE1.HP.COM”:
     Principal “USER1@NODE1.HP.COM” created.
     KerberosAdmin> list principal
     Authenticating as principal SYSTEM/admin with password.
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
 
     UNIX:
 
     $ kinit “SYSTEM/admin”
     Password for SYSTEM/admin@NODE1.HP.COM:
     $ kadmin
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Enter password:
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KADMIN: addprinc “USER1”
     WARNING: no policy specified for USER1@NODE1.HP.COM; defaulting to no policy
     Enter password for principal “USER1@NODE1.HP.COM”:
     Re-enter password for principal “USER1@NODE1.HP.COM”:
     Principal “USER1@NODE1.HP.COM” created.
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/node1@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM

Create the Kerberos host principals. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands.

     DCL:
 
     KerberosAdmin> create principal/random “host/node1.hp.com@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal “host/node1.hp.com@NODE1.HP.COM” created.
     KerberosAdmin> create principal/random “host/node1@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal “host/node1@NODE1.HP.COM” created.     
     KerberosAdmin> list principal
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     host/node1.hp.com@NODE1.HP.COM
     host/node1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KerberosAdmin> create keytab “host/node1.hp.com@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.
 
     KRB$KERBEROS: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
 
     KerberosAdmin> create keytab “host/node1@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.
 
     KRB$KERBEROS: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
 
     KerberosAdmin> list keytab
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     KerberosAdmin> exit
     $
 
     UNIX:
 
     KADMIN: addprinc -randkey “host/node1.hp.com@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal “host/node1.hp.com@NODE1.HP.COM” created.
     KADMIN: addprinc -randkey “host/node1@NODE1.HP.COM”
     Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
     Principal “host/node1@NODE1.HP.COM” created.
     KADMIN: listprincs
     K/M@NODE1.HP.COM
     SYSTEM/admin@NODE1.HP.COM
     USER1@NODE1.HP.COM
     host/node1.hp.com@NODE1.HP.COM
     host/node1@NODE1.HP.COM
     kadmin/admin@NODE1.HP.COM
     kadmin/changepw@NODE1.HP.COM
     kadmin/history@NODE1.HP.COM SYSTEM/admin@NODE1.HP.COM
     krbtgt/NODE1.HP.COM@NODE1.HP.COM
     KADMIN: ktadd “host/node1.hp.com@NODE1.HP.COM”
     KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.
 
     KRB$KADMIN: Entry for principal host/node1.hp.com@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
     KADMIN: ktadd “host/node1@NODE1.HP.COM”
     KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
     keytab WRFILE=krb$root:[etc]krb5.keytab.
 
     KRB$KADMIN: Entry for principal host/node1@NODE1.HP.COM with
     kvno 3, encryption type DES-CBC-CRC mode with CRC-32 added to keytab
     WRFILE=krb$root:[etc]krb5.keytab.
     KADMIN: ktlist
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1.hp.com@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     host/node1@NODE1.HP.COM (kvno: 3, etype: Triple DES cbc mode with
     HMAC/sha1)
     host/node1@NODE1.HP.COM (kvno: 3, etype: DES cbc mode with CRC-32)
     KADMIN: exit
     $

Configuring Kerberos for OpenVMS Telnet and OpenVMS SSH

» Table of Contents

» Glossary

» Index