This site requires JavaScript to be enabled
An updated version of this article is available

Network Programs Available on Kerberized Machines

8 views

3.0 - Updated on 2021-02-24 by Brittany Bossarte

2.0 - Updated on 2021-02-23 by Carlos Salazar (Inactive)

1.0 - Authored on 2014-05-01 by Fang Wang

Intended for: Kerberos users and system adminstrators

Scenario/Use case:

This article describes the Kerberized features of the network connection programs that are usable with Kerberos v5.

Note that the "Kerberized" versions of telnet, rsh, rlogin, FTP, and rcp are deprecated and have been removed from the MIT Kerberos distribution into a separate package. Similiarly, these utilities have been moved into a separate installation package (from the basic Kerberos services) in Linux systems, see  Basic Linux Kerberos Installation.  Fermilab recommends using ssh and scp to provide interactive login, remote command execution and file copies across the network.

 

Instructions:

The Kerberos V5 network programs are versions of existing UNIX network programs with the Kerberos features added. We call these versions "Kerberized". They include telnet, rsh, rlogin, FTP, and rcp which usually come with the installation of a Kerberos 5 client, and ssh, slogin and scp which come with a Kerberized ssh client. These programs have the original features of the corresponding non-Kerberized programs, plus additional features that transparently use your Kerberos tickets for negotiating authentication and optional encryption with the remote host. In most cases, all you'll notice is that you no longer have to type your password, because Kerberos has already proven your identity.

Be aware that, depending on how the network program is configured and whether the target machine is Kerberized, you may be prompted for either your login id or password, both, or neither.

You can check the defaults set for the (non-ssh) programs in the [appdefaults] section of the /etc/krb5.conf file. For ssh configuration, see the ssh man pages. These defaults can be overridden via command line options (and in the cases of telnet and FTP when invoked without a hostname argument, via commands inside the program).

See the man pages for complete information. In this chapter we list only the command syntax and the Kerberos-added features for these programs.

Kerberized telnet

Kerberized telnet is deprecated, Fermilab suggests using ssh or slogin instead.
Most servers at Fermilab have logins via telnet disabled as well.

Communicate with another host using the TELNET protocol. Use with a host argument to open a connection to that host.

% telnet [-8] [-E] [-F] [-K] [-L] [-N] [-S <tos>] \
[-X <authtype>] [-a] [-c] [-d] [-e <escapechar>] [-f] \
[-k <REALM>] [-l <user>] [-n <tracefile>] [-r] [-x] \
[<host> [<port>]]

The following are the Kerberos options:

-a
attempts automatic login using your tickets. telnet will assume you want the same login id on the remote host unless you explicitly specify another (using -l).
-f
forwards a copy of your existing tickets to the remote host, but does not mark them as reforwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-F
forwards a copy of your existing tickets to the remote host, and marks them as re-forwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-k <REALM>
requests tickets in the specified realm, which may be different from the one the system would use by default.
-K
uses your tickets to authenticate to the remote host, but does not log you in; i.e., specifies "no auto-login".
-N
turns off ticket forwarding to the remote system.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-x
(encrypt) turns on encryption.
Use of this option overrides any encryption defaults specified in your machine's configuration files.
-X <atype>
disable atype type of authentication

Example:

Log in to the remote Kerberized machine fsgi03.fnal.gov, assume your username is different on this machine (-l qsmith). Forward tickets and mark them as reforwardable from the target machine (-F):

% telnet -F -l qsmith fsgi03.fnal.gov

Kerberized rsh

Kerberized rsh is deprecated, Fermilab suggests using ssh instead.

Connect to a specified host, and execute a specified command on that host.

% rsh <host> [-l <login_name>] [-n] [-d] [-k <REALM>] [-K]\
 [-f | -F] [-N] [-PN | -PO] [-x] [-X] <command>

If <command> is left off, rsh runs rlogin.

The following are the Kerberos options:

-d
turns on socket debugging (via setsockopt(2)) on the TCP sockets used for communication with the remote host.
-f
forwards a copy of your existing tickets to the remote host, but does not mark them as reforwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-F
forwards a copy of your existing tickets to the remote host, and marks them as re-forwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-k <REALM>
requests tickets in the specified realm, which may be different from the one the system would use by default.
-K
turns off TCP keepalives (via setsockopt(2)) on the TCP socket used for stdin and stdout.
-n
This is not a Kerberos option, but we include it with a usage note. As in non-Kerberized rsh, -n redirects input from the special device /dev/null. If you put a command rsh <host> <command> in the background with &, it will stop because only a foreground process can access the tty for input. If you make it rsh -n <host> <command>, the rsh command does not have the tty open for input at all, so it does not get stopped.
-N
turns off ticket forwarding to the remote system.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-PN or -PO
Explicitly requests New or Old version of the Kerberos "rcmd" protocol. The new protocol avoids many security problems found in the old one, but is not interoperable with older servers. (An "input/output error" and a closed connection is the most likely result of attempting this combination.) If neither option is specified, some simple heuristics are used to guess which to try.
-x
(encrypt) turns ON encryption for the session
Use of this option overrides any encryption defaults specified in your machine's configuration files.
-X
turns OFF encryption of the session.
Use of this option overrides any encryption defaults specified in your machine's configuration files.

Example:

Run the command date on the remote Kerberized machine fsui03.fnal.gov, and assume your username is different on it (-l qsmith). The command doesn't require Kerberos tickets in order to run, nor does it require encryption (-X turns it off):

% rsh fsgi03.fnal.gov -l qsmith -X date

Kerberized rlogin

Kerberized rlogin is deprecated, Fermilab suggest using ssh or slogin instead.

Log into a remote host. Kerberos authentication is used in place of the rhosts mechanism to determine if user is authorized to use remote account.

% rlogin <rhost> [-e<c>] [-8] [-c] [ -a] [-f] [-F] [-N] \
[-t <termtype>] [-n] [-7] [-noflow] [-d] [-k <REALM>] [-x] \
[-X] [-L] [-PN|-PO] [-4] [-l <username>]

The following are the Kerberos options:

-f
forwards a copy of your existing tickets to the remote host, but does not mark them as reforwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-F
forwards a copy of your existing tickets to the remote host, and marks them as re-forwardable from there.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-k <REALM>
requests tickets in the specified realm, which may be different from the one the system would use by default.
-N
turns off ticket forwarding to the remote system.
Use of this option overrides any forwarding defaults specified in your machine's configuration files.
-PN or -PO
Explicitly requests New or Old version of the Kerberos "rcmd" protocol. The new protocol avoids many security problems found in the old one, but is not interoperable with older servers. (An "input/output error" and a closed connection is the most likely result of attempting this combination.) If neither option is specified, some simple heuristics are used to guess which to try.
-x
(encrypt) turns ON encryption for the session
Use of this option overrides any encryption defaults specified in your machine's configuration files.
-X
turns OFF encryption of the session.
Use of this option overrides any encryption defaults specified in your machine's configuration files.
-4
Uses Kerberos v4; default is v5.

Example:

Log into the remote Kerberized machine fsui03.fnal.gov, assume your username is different on it (-l qsmith), forward a reforwardable copy of the local Kerberos credentials (-F):

% rlogin fsgi03.fnal.gov -l qsmith -F

Kerberized FTP

Kerberized FTP is deprecated, Fermilab suggests using scp instead.

Transfer files to and from a remote host. FTP prompts the user for a command. Type help to see a list of commands.

% ftp [-v] [-d] [-i] [-n] [-g] [-k <REALM>] [-f] [-x] [-u] [-t]\
 [<host>]

The following are the Kerberos options:

-f
requests that your tickets be forwarded to the remote host. 
 -k <REALM>
Ignore this option of the ftp client. It has nothing to do with Kerberos v5. It does work for telnet and the r-commands.
-n
no auto-login attempt at initial connection, but still does Kerberos authentication
protect <level>
(issued at the ftp> prompt) sets the protection level. The level clear is "no protection"; safe ensures data integrity, and private encrypts the data and ensures data integrity.
-u
restrains FTP from attempting auto-authentication; also disables auto-login.

Note: If your local and remote login names don't match, you can enter your login name for the remote system at the prompt that you get after you issue the ftp command.

Examples:

Transfer files from a remote nonKerberized machine www.xyz.org, and assume your username is different on it:

% ftp www.xyz.org

Connected to xyz.org.
220 ...
500 AUTH not understood.
KERBEROS_V4 rejected as an authentication type
Name (www.xyz.org:aheavey): anneh
331 Password required for anneh.
Password:
230 User anneh logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
-rw-rw-r--   1 batavia  site23       1700 Jan 25 10:52 header_1.GIF
...
ftp> get header_1.GIF
local: header_1.GIF remote: header_1.GIF
200 PORT command successful.
150 Opening BINARY mode data connection for header_1.GIF (1700 bytes).
226 Transfer complete.
1700 bytes received in 0.016 seconds (1e+02 Kbytes/s)
ftp> bye
221 Goodbye.

Transfer files from a remote Kerberized machine abc.minos-soudan.org that runs NFS (you must forward credentials, -f). Assume your username is different on each machine. Set the protection to "private" in order to encrypt the data and ensure data integrity:

% ftp -f abc.minos-soudan.org

Connected to abc.minos-soudan.org.
...
220 abc.minos-soudan.org FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (abc.minos-soudan.org:aheavey): crluser
232 GSSAPI user aheavey@FNAL.GOV is authorized as crluser
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> private
200 Data channel protection level set to private.
ftp> get lmnop.qrs
...
ftp> bye
221 Goodbye.

Kerberized rcp

Kerberized rcp is deprecated, Fermilab suggest using scp instead.

Copy files between machines. Each file or directory argument is either a remote file name of the form remote_host:path or a local file name/path.

% rcp [-p] [-x] [-X] [-k <REALM>] [-D <port>] [-n] [-N] \
 [-c <cache>] [-C <config>] [-PN|-PO] <file1> <file2>

or

% rcp [-p] [-x] [-X] [-k <REALM>] [-r] [-D <port>] [-F] [-N]\
 [-c <cache>] [-C <config>] [-PN|-PO]  <file> ... <directory>

The following are the Kerberos options:

-c <cache>
uses credentials file <cache> instead of default
 -F
forwards credentials to remote system (This is needed if the other end runs NFS.)
-k <REALM>
requests tickets for the remote host in the specified realm, which may be different from the one the system would use by default.
-N
turns off ticket forwarding to the remote system.
Use of this option overrides any forwarding specified in your machine's configuration files.
-PN or -PO
Explicitly requests New or Old version of the Kerberos "rcmd" protocol. The new protocol avoids many security problems found in the old one, but is not interoperable with older servers. (An "input/output error" and a closed connection is the most likely result of attempting this combination.) If neither option is specified, some simple heuristics are used to guess which to try.
-r
If any of the source files are directories, copy each subtree rooted at that name; in this case the destination must be a directory.
-x
(encrypt) turns on encryption.
-X
turns off encryption of the session.
Use of this option overrides any encryption specified in your machine's configuration files.

Examples:

Copy the local files def.histo and ghi.histo to your home directory on the remote machine jkl.myuniv.edu. Assume the remote machine does not run NFS. Your username is the same on both:

% rcp def.histo ghi.histo jkl.myuniv.edu:

Copy the local directory histo and all subdirectories to your home directory on the remote machine jkl.myuniv.edu. Assume the remote machine does not run NFS. Your username is the same on both:

% rcp /path/to/histo jkl.myuniv.edu:

Copy all the files from the directory /path/to/mno on the remote node pqr.myuniv.edu into the local directory ~stu/vwx (quote the first argument to prevent filename expansion from occurring on the local machine):

% rcp "pqr.myuniv.edu:/path/to/mno/*" ~stu/vwx

Kerberized ssh and slogin

The ssh and slogin commands are intended to replace rsh and rlogin (see sections Kerberized rsh and Kerberized rlogin) and to provide secure encrypted connections between two untrusted hosts over an insecure network. If the <command> argument is left off, ssh runs slogin.

% ssh [-a] [-c idea|blowfish|des|3des|arcfour|none]     \
 [-e <escape_char>] [-i <identity_file>] [-l <login_name>]\
 [-n] [-k] [-V] [-o <option>] [-p <port>] [-q] [-P] [-t] [-v]\
 [-x] [-C] [-g] [-L <port>:<host>:<hostport>] [-R \
 <port>:<host>:<hostport>] <hostname> [<command>]
-c
Specifies cipher for encrypting connection; not needed if specified in configuration file
-k
Disables forwarding of the kerberos tickets. This may also be specified on a per-host basis in the configuration file.

Any Kerberos options would be used within -o <ssh-options>.

Examples:

From your local machine, log into the remote node fsgi03.fnal.gov on which your (different) username is qsmith. Respond yes if asked if you want to continue:

% slogin fsgi03.fnal.gov -l qsmith

Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?

From your local machine, run the date command on the remote node fsgi03.fnal.gov, but don't start a session:

% ssh fsgi03.fnal.gov -l qsmith date

Kerberized scp

Copy files between hosts on a network, using ssh for data transfer.

% scp [-a] [-A] [-q] [-Q] [-p] [-r] [-v] [-B] [-C] [-L] [-1] \
 [-S <path_to_ssh>] [-o <ssh-options>][-P <port>]    \  
 [-c idea|blowfish|des|3des|arcfour|none]  [-i <identity>]\
 [[user@host1:]filename1... [user@host2:]filename2

Any Kerberos options would be used within -o <ssh-options>.

Example:

Log into a Kerberized machine at Fermilab, and pull files from a remote machine, mynode.myuniv.edu. On the remote node the username is qsmith, and on the local node, it's quentins. The user wants to pull a file from mynode.myuniv.edu to his local Fermilab machine:

% scp qsmith@mynode.myuniv.edu:/home/qsmith/muonrun47.histo 
~quentins/geant4/work/muonhistos

Going, Going, Deprecated

Just a reminder that the following Kerberized network programs are deprecated: telnet, ftp, rsh, rlogin, and rcp. Logins via telnet are not enabled on most Fermilab systems.

See Also:

Authored by Fang Wang
Last modified 2018-02-20 15:19:30