[6915] in Kerberos
Re: KV4, ovtelnetd setup and tickets expired life time on OpenV*Secure NX
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue Mar 19 14:15:38 1996
Date: Tue, 19 Mar 96 11:25:38 EST
From: Barry Jaspan <bjaspan@bbnplanet.com>
To: "Victor C.M. Lai" <vilai@PROBLEM_WITH_INEWS_GATEWAY_FILE.MIT.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: [6908]
Problem 1 ) Kerberos Version 4 (KV4) support
First, some notation. In Kerberos V4, "rcmd.hostname" indicating a
principal name of "rcmd" and an instance of "hostname". In Kerberos
V5, "host/hostname" indicates a name with two components, "host" and
"hostname". So in V4 the "." is the separator, and in V5 the "/" is
the separator. V4 names always have exactly one or two components
(name and instance) but V5 names can have any number of components
(hence the analogy with filenames with "/").
In OpenV*secure System Administrator's Guide, page 32, it said that :
" 1. Create the KV4 principal used by the service and the corresponding KV5
principal, "with same password"
Creating two principals with the same password just means that you run
the admin GUI and create two principals, "host/hostname" and
"rcmd.hostname", and give them the same password. I no longer
remember the details of why you need to create both with the same
password, but if the manual says it is so, then you should just do it.
Question 2) Which service principle "rcmd.hostname" or "rcmd/hostname"
need to create ??
I can understand why this is confusing. What you want is a principal
name with two components, "rcmd" and <hostname>. Under V4, you would
create the principal "rcmd.hostname" and that would be correct. To
create the principal under V5, you would create "rcmd/hostname". Note
that you would NOT create "rcmd.hostname" under V5, because to a V5
system that "." is not special, so you'd end up with a one-component
name.
This is confusing because you are creating a V4-compatibility
principal name (rcmd.hostname) but you have to create it with the V5
syntax (rcmd/hostname). Perhaps OpenVision is listening, and they'll
improve the documentation.
Question 3) We have tried to create a service principle called
"rcmd.demo18" ,
but we can't extract it into a KV4 srvtab file using
kdb5_edit's "extract_v4_srvtab", because the "extract_v4_srvtab"
requires give "instance name [name ...]" and We used :
If you create the principal "rcmd/demo18" with the Secure Admin GUI
you should then be able to extract the V4 srvtab with kdb5_edit with
the command "extract_v4_srvtab demo18 rcmd". Read the answer to
question 2 if you do not understand why.
Problem 2 ) ovtelnetd and ovtelnet setup
We have tried to copy the "ovtelnetd" and "ovtelnet" and man pages into
corresponding directories, but we don't know how to set up the "ovtelnetd"
in the /etc/inetd.conf and /etc/services ..... What is the default TCP
port of ovtelnetd ??
ovtelnetd is a drop-in replacement for regular telnetd. You should
run it on port 23 *instead* of the standard telnetd.
If you really want to, you can run ovtelnetd on any other port: just
create an entry in /etc/services called "ovtelnet" and assign it the
port number you want, then create an entry in /etc/inetd.conf for that
port number.
Problem 3) Ticket expired time problems
We found that although both of the initial granting ticket (krbtgt) and
(host/demo18) are expired, we still can used "ovrlogin" and login into the
remote machine demo18. The system indicate the tickets are expired until
more 20-30 mins after expired time.
I find that surprising, but if it is really true, then it is a bug.
You should call OpenVision's customer support about it.
Barry
