Network Programs Available on Kerberized Machines
Intended for:
Kerberos users and system administrators.
Scenario/Use case:
This article describes the Kerberized features of the network connection programs that are usable with Kerberos v5.
|
Note that the "Kerberized" versions of telnet, rsh, rlogin, FTP, and rcp are deprecated and have been removed from the MIT Kerberos distribution into a separate package. Similiarly, these utilities have been moved into a separate installation package (from the basic Kerberos services) in Linux systems, see Basic Linux Kerberos Installation. Fermilab recommends using ssh and scp to provide interactive login, remote command execution and file copies across the network. |
Instructions:
The Kerberos V5 network programs are versions of existing UNIX network programs with the Kerberos features added. We call these versions "Kerberized". They include ssh, slogin and scp which come with a Kerberized ssh client. These programs have the original features of the corresponding non-Kerberized programs, plus additional features that transparently use your Kerberos tickets for negotiating authentication and optional encryption with the remote host. In most cases, all you'll notice is that you no longer have to type your password, because Kerberos has already proven your identity.
Be aware that, depending on how the network program is configured and whether the target machine is Kerberized, you may be prompted for either your login id or password, both, or neither.
You can check the defaults set for the (non-ssh) programs in the [appdefaults] section of the /etc/krb5.conf file. For ssh configuration, see the ssh man pages. These defaults can be overridden via command line options.
See the man pages for complete information. In this chapter we list only the command syntax and the Kerberos-added features for these programs.
Kerberized FTP
| Kerberized FTP is deprecated, Fermilab suggests using scp instead. |
Transfer files to and from a remote host. FTP prompts the user for a command. Type help to see a list of commands.
% ftp [-v] [-d] [-i] [-n] [-g] [-k <REALM>] [-f] [-x] [-u] [-t]\ [<host>]
The following are the Kerberos options:
- -f
- requests that your tickets be forwarded to the remote host.
- -k <REALM>
- Ignore this option of the ftp client. It has nothing to do with Kerberos v5. It does work for telnet and the r-commands.
- -n
- no auto-login attempt at initial connection, but still does Kerberos authentication.
- protect <level>
- (issued at the ftp> prompt) sets the protection level. The level clear is "no protection"; safe ensures data integrity, and private encrypts the data and ensures data integrity.
- -u
- restrains FTP from attempting auto-authentication; also disables auto-login.
Note: If your local and remote login names don't match, you can enter your login name for the remote system at the prompt that you get after you issue the ftp command.
Examples:
Transfer files from a remote nonKerberized machine www.xyz.org, and assume your username is different on it:
% ftp www.xyz.org
Connected to xyz.org. 220 ... 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (www.xyz.org:aheavey): anneh 331 Password required for anneh. Password: 230 User anneh logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for file list. -rw-rw-r-- 1 batavia site23 1700 Jan 25 10:52 header_1.GIF ... ftp> get header_1.GIF local: header_1.GIF remote: header_1.GIF 200 PORT command successful. 150 Opening BINARY mode data connection for header_1.GIF (1700 bytes). 226 Transfer complete. 1700 bytes received in 0.016 seconds (1e+02 Kbytes/s) ftp> bye 221 Goodbye.
Transfer files from a remote Kerberized machine abc.minos-soudan.org that runs NFS (you must forward credentials, -f). Assume your username is different on each machine. Set the protection to "private" in order to encrypt the data and ensure data integrity:
% ftp -f abc.minos-soudan.org
Connected to abc.minos-soudan.org. ... 220 abc.minos-soudan.org FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (abc.minos-soudan.org:aheavey): crluser 232 GSSAPI user aheavey@FNAL.GOV is authorized as crluser Remote system type is UNIX. Using binary mode to transfer files. ftp> private 200 Data channel protection level set to private. ftp> get lmnop.qrs ... ftp> bye 221 Goodbye.
Kerberized ssh and slogin
The ssh and slogin commands are intended to replace rsh and rlogin (see sections Kerberized rsh and Kerberized rlogin) and to provide secure encrypted connections between two untrusted hosts over an insecure network. If the <command> argument is left off, ssh runs slogin.
% ssh [-a] [-c idea|blowfish|des|3des|arcfour|none] \ [-e <escape_char>] [-i <identity_file>] [-l <login_name>]\ [-n] [-k] [-V] [-o <option>] [-p <port>] [-q] [-P] [-t] [-v]\ [-x] [-C] [-g] [-L <port>:<host>:<hostport>] [-R \ <port>:<host>:<hostport>] <hostname> [<command>]
- -c
- Specifies cipher for encrypting connection; not needed if specified in configuration file.
- -k
- Disables forwarding of the kerberos tickets. This may also be specified on a per-host basis in the configuration file.
Any Kerberos options would be used within -o <ssh-options>.
Examples:
From your local machine, log into the remote node fsgi03.fnal.gov on which your (different) username is qsmith. Respond yes if asked if you want to continue:
% slogin fsgi03.fnal.gov -l qsmith
Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)?
From your local machine, run the date command on the remote node fsgi03.fnal.gov, but don't start a session:
% ssh fsgi03.fnal.gov -l qsmith date
Kerberized scp
Copy files between hosts on a network, using ssh for data transfer.
% scp [-a] [-A] [-q] [-Q] [-p] [-r] [-v] [-B] [-C] [-L] [-1] \ [-S <path_to_ssh>] [-o <ssh-options>][-P <port>] \ [-c idea|blowfish|des|3des|arcfour|none] [-i <identity>]\ [[user@host1:]filename1... [user@host2:]filename2
Any Kerberos options would be used within -o <ssh-options>.
Example:
Log into a Kerberized machine at Fermilab, and pull files from a remote machine, mynode.myuniv.edu. On the remote node the username is qsmith, and on the local node, it's quentins. The user wants to pull a file from mynode.myuniv.edu to his local Fermilab machine:
% scp qsmith@mynode.myuniv.edu:/home/qsmith/muonrun47.histo ~quentins/geant4/work/muonhistos
Going, Going, Deprecated
Just a reminder that the following Kerberized network programs are deprecated: telnet, ftp, rsh, rlogin, and rcp. Logins via telnet are not enabled on most Fermilab systems.
See Also: