Kerberos for HP OpenVMS Version 2.0 Installation Guide and Release Notes September 2003 Contents: Prerequisites Documentation Downloading the Kit Expanding the Kit Installing Kerberos on OpenVMS 7.3-2 Installing Kerberos on OpenVMS 7.3-1 Installing Kerberos on OpenVMS 7.3 and 7.2-2 Configuring Kerberos Configuring TCP/IP services for OpenVMS Telnet with Kerberos Release Notes ------------------------------------------------------------- Kerberos Version 2.0 for HP OpenVMS is based on MIT Kerberos V5 Release 1.2.6. Version 2.0 runs on OpenVMS Alpha Version 7.2-2 and higher, and OpenVMS VAX Version 7.3. For the latest information about Kerberos for OpenVMS, see the Kerberos for OpenVMS web site at: http://h71000.www7.hp.com/openvms/products/kerberos/ Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos was created by the Massachusetts Institute of Technology as a solution for network security. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity. Kerberos is freely available from MIT, under a copyright permission notice. Kerberos for HP OpenVMS is supplied by Hewlett-Packard Corporation under the terms of the license from the Massachusetts Institute of Technology. For more information on the Kerberos license, please see http://web.mit.edu/kerberos/www/. Prerequisites ------------------------------------------------------------- Operating System HP OpenVMS Alpha Version 7.2-2 or higher, or HP OpenVMS VAX Version 7.3 TCP/IP Transport HP TCP/IP Services for OpenVMS Version 5.3 or higher Note: If you are running a third-party TCP/IP network product such as MultiNet or TCPware from Process Software Corporation, contact your provider regarding running Kerberos Version 2.0 with their TCP/IP network product. Documentation ------------------------------------------------------------- See the Kerberos for OpenVMS documentation page at http://h71000.www7.hp.com/openvms/products/kerberos/kerberos_doc.html for the latest Kerberos documentation from MIT and HP. The following MIT documentation is included in the Kerberos for OpenVMS kit in the KRB$ROOT:[DOC] directory. The MIT documentation is not specific to OpenVMS. Kerberos V5 Application Programming Library (LIBRARY.PDF) Kerberos V5 Implementer's Guide (IMPLEMENT.PDF) Kerberos V5 Installation Guide (INSTALL-GUIDE.PS) Kerberos V5 System Administrator's Guide (ADMIN-GUIDE.PS) Kerberos V5 UNIX User's Guide (USER-GUIDE.PS) Upgrading to Kerberos V5 from Kerberos V4 (KRB425-GUIDE.PS) General information about Kerberos is available at http://web.mit.edu/kerberos/www/. Downloading the Kit ------------------------------------------------------------- Kerberos Version 2.0 is included in the OpenVMS V7.3-2 operating system distribution media. The Kerberos for OpenVMS kit is also available for download as a compressed self-extracting file. If you are running OpenVMS Version 7.3-1, 7.3, or 7.2-2, you can download and install Kerberos Version 2.0. Please fill out and submit the Kerberos for HP OpenVMS registration form to download the kit from http://h71000.www7.hp.com/openvms/products/kerberos/kerberos_register.html Expanding the Kit ------------------------------------------------------------- After you download the Kerberos for HP OpenVMS kit, expand the self-extracting file by entering the following command: $ RUN HP-AXPVMS-KERBEROS-V0200-6-1.PCSI-DCX_AXPEXE At the Decompress into (file specification): prompt, press return. The system expands the file and names the decompressed file HP-AXPVMS-KERBEROS-V0200-6-1.PCSI. Do not rename this file. Installing Kerberos on OpenVMS Version 7.3-2 ------------------------------------------------------------- Kerberos Version 2.0 is automatically installed during installation of OpenVMS Version 7.3-2 or during an upgrade from a previous version of OpenVMS to Version 7.3-2. If you have not previously configured an earlier version of Kerberos on your system, you must run the configuration program before starting Kerberos. Once you have a valid configuration, start Kerberos with the following command: $ @SYS$STARTUP:KRB$STARTUP Installing Kerberos on OpenVMS Version 7.3-1 ------------------------------------------------------------- To install Kerberos Version 2.0 on OpenVMS Version 7.3-1, perform the following steps: 1. Shut down Kerberos Version 1.0 by executing the SYS$STARTUP:KRB$SHUTDOWN.COM. (Kerberos Version 1.0 was installed by default when you installed OpenVMS Version 7.3-1.) 2. Create a temporary directory to hold the upgrade command procedure and kit contents. 3. Set default to the temporary directory. 4. Download OVERLAY_KRB5KIT.COM from the Kerberos for OpenVMS website at http://h71000.www7.hp.com/openvms/products/kerberos/. Do not install the OVERLAY_KRB5KIT.COM that is packaged with the Kerberos Version 2.0 kit. 5. Install the Kerberos Version 2.0 kit by executing OVERLAY_KRB5KIT.COM. 6. Execute KRB$CONFIGURE.COM, if Kerberos Version 1.0 was not previously configured. 7. Start Kerberos by executing SYS$STARTUP:KRB$STARTUP.COM. Example of Installation Log on OpenVMS Version 7.3-1 Username: system Password: Last interactive login on Tuesday, September 2, 2003 11:32 AM Last non-interactive login on Wednesday, September 3, 2003 03:45 PM $ @SYS$STARTUP:KRB$SHUTDOWN $ CREATE/DIRECTORY [.OVERLAY] $ SET DEFAULT [.OVERLAY] $ @OVERLAY_KRB5KIT ====================================================== Installing an overlay of HP-AXPVMS-KERBEROS-V2.0 %DELETE-W-SEARCHFAIL, error searching for SYS$COMMON:[SYSLIB]KRB$RTL32.EXE;* -RMS-E-FNF, file not found . . . %CREATE-I-EXISTS, SYS$COMMON:[SYSHLP.EXAMPLES.KRB] already exists The following product has been selected: HP AXPVMS KERBEROS V2.0 Layered Product Portion done: 0%...100% OVERLAY of Kerberos V2.0 on top of VMS 7.3-1 is complete. $ LOGOUT SYSTEM logged out at September 6, 2003 03:15 PM Installing Kerberos on OpenVMS Version 7.3 and 7.2-2 ------------------------------------------------------------- To install Kerberos Version 2.0 on OpenVMS Version 7.3 or 7.2-2, perform the following steps: 1. Shut down Kerberos Version 1.0, if it was previously installed, by executing SYS$STARTUP:KRB$SHUTDOWN.COM. 2. Remove Kerberos Version 1.0, if it was previously installed, by entering the PRODUCT REMOVE KERBEROS command. (Do not remove the Kerberos data and directories if you want to preserve your Kerberos V1 configuration.) 3. Install the Kerberos Version 2.0 kit by entering PRODUCT INSTALL KERBEROS. 4. Add @SYS$STARTUP:KRB$SYMBOLS to SYS$MANAGER:SYLOGIN.COM, if Kerberos Version 1.0 was not previously installed and configured. 5. Execute KRB$CONFIGURE.COM, if Kerberos Version 1.0 was not previously installed and configured. 6. Start Kerberos by executing SYS$STARTUP:KRB$STARTUP.COM. Example of Installation Log on OpenVMS Version 7.2-2 Username: system Password: Last interactive login on Tuesday, September 2, 2003 11:12 AM Last non-interactive login on Wednesday, September 3, 2003 02:30 PM $ @SYS$STARTUP:KRB$SHUTDOWN $ PRODUCT REMOVE KERBEROS The following product has been selected: CPQ ALPVMS KERBEROS V1.0 Layered Product Do you want to continue? [YES] The following product will be removed from destination: CPQ ALPVMS KERBEROS V1.0 DISK$TUTU_SYS:[VMS$COMMON.] Portion done: 0%...10% Remove OpenVMS Kerberos 5 V1.0 data & directories ? [ Y ]: n ...30%...40%...50%...60%...70%...80%...90%...100% The following product has been removed: CPQ ALPVMS KERBEROS V1.0 Layered Products The next step is to install the new Kerberos V2.0 kit: $ PRODUCT INSTALL KERBEROS The following product has been selected: HP AXPVMS KERBEROS V2.0 Layered Product Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. HP AXPVMS KERBEROS V2.0 Do you want the defaults for all options? [YES] Do you want to review the options? [NO] Execution phase starting ... The following product will be installed to destination: HP AXPVMS KERBEROS V2.0 DISK$TUTU_SYS:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: HP AXPVMS KERBEROS V2.0 Layered Product HP AXPVMS KERBEROS V2.0 Configure the OpenVMS Kerberos clients & servers Please take the time to run the following command after the installation: @SYS$STARTUP:KRB$CONFIGURE.COM The Kerberos 5 V2.0 documentation has been provided as it was received from MIT. This documentation may differ slightly from the OpenVMS Kerberos implementation as it describes the Kerberos implementation in a Unix environment. The documents are: KRB$ROOT:[DOC]IMPLEMENT.PDF KRB$ROOT:[DOC]LIBRARY.PDF KRB$ROOT:[DOC]ADMIN-GUIDE.PS KRB$ROOT:[DOC]INSTALL-GUIDE.PS KRB$ROOT:[DOC]KRB425-GUIDE.PS KRB$ROOT:[DOC]USER-GUIDE.PS $ LOGOUT SYSTEM logged out at September 6, 2003 11:15 AM Configuring Kerberos ------------------------------------------------------------- After you have installed Kerberos (either through the OpenVMS installation or upgrade procedure, or by installing the downloadable PCSI kit), configure Kerberos if you have not previously done so. To configure Kerberos, perform the following steps from a privileged OpenVMS username (for example, SYSTEM). 1. Insert the following line into SYS$MANAGER:SYSTARTUP_VMS.COM. This line must be entered after the startup command for HP TCP/IP Services for OpenVMS. (If you start TCP/IP Services for OpenVMS as a batch job, be sure that TCP/IP has started before you start Kerberos.) $ @SYS$STARTUP:KRB$STARTUP 2. Add the following line to your SYLOGIN command procedure, or into the LOGIN.COM of each user who will use Kerberos. $ @SYS$MANAGER:KRB$SYMBOLS 3. Run the following command procedure to configure the Kerberos clients and servers. $ @SYS$STARTUP:KRB$CONFIGURE Example of Configuration Log on OpenVMS Version 7.3-2 $ @SYS$STARTUP:KRB$CONFIGURE Kerberos V2.0 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 1 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: Press Return to continue ... Kerberos V2.0 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 3 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: The type of roles the KDC can perform are: NO_KDC -- where the KDC will not be run SINGLE_KDC -- where the KDC is the only one in the realm MASTER_KDC -- where the KDC is the master of 1 or more other KDCs SLAVE_KDC -- where the KDC is slave to another KDC What will be the KDC's role on this node [ SINGLE_KDC ]: Create the OpenVMS Kerberos 5 database [ Y ]: Creating OpenVMS Kerberos 5 database ... Initializing database 'krb$root:[krb5kdc]principal' for realm 'SYSTEM.DEC.COM', master key name 'K/M@SYSTEM.DEC.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Priority: info No dictionary file specified, continuing without one. Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]: Authenticating as principal SYSTEM/admin@SYSTEM.DEC.COM with password. Enter password for principal "SYSTEM/admin@SYSTEM.DEC.COM": Re-enter password for principal "SYSTEM/admin@SYSTEM.DEC.COM": Principal "SYSTEM/admin@SYSTEM.DEC.COM" created. Priority: info No dictionary file specified, continuing without one. WARNING: no policy specified for SYSTEM/admin@SYSTEM.DEC.COM; defaulting to no policy Create OpenVMS Kerberos 5 principals [ Y ]: n Authenticating as principal SYSTEM/admin@SYSTEM.DEC.COM with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Authenticating as principal SYSTEM/admin@SYSTEM.DEC.COM with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Press Return to continue ... Kerberos V2.0 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: 6 Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000060 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 00000061 Press Return to continue ... Kerberos V2.0 for OpenVMS Configuration Menu Configuration options: 1 - Setup Client configuration 2 - Edit Client configuration 3 - Setup Server configuration 4 - Edit Server configuration 5 - Shutdown Servers 6 - Startup Servers E - Exit configuration procedure Enter Option: E Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos ---------------------------------------------------------------- Using Kerberos with HP TCP/IP Services for OpenVMS, you can secure your Telnet connections between OpenVMS systems. If you have not already done so, download the Kerberized Telnet client (TCPIP$TELNET.EXE) and server (TCPIP$TELNET_SERVER.EXE) kits from http://h71000.www7.hp.com/openvms/products/kerberos_downtelnet.html. Important: Copy TCPIP$TELNET.EXE and TCPIP$TELNET_SERVER.EXE to SYS$COMMON:[SYSEXE]. You do not need to run these files directly. They are executed when you first run Telnet after following the instructions below. To "Kerberize" your Telnet connections, perform the following steps. 1. Install and configure HP TCP/IP Services for OpenVMS Version 5.3 or higher. 2. Install and configure Kerberos for OpenVMS. If you have installed OpenVMS Version 7.3-1 or higher, Kerberos is part of the OpenVMS installation procedure. If you have an earlier version of OpenVMS installed, you can download the Kerberos for OpenVMS PCSI kit from the Kerberos web site at http://h71000.www7.hp.com/openvms/products/kerberos/ 3. Shut down Kerberos, if it is running, by entering the following command: $ @SYS$STARTUP:KRB$SHUTDOWN 4. Configure HP TCP/IP Services for OpenVMS by entering the following command: $ @SYS$STARTUP:TCPIP$CONFIG 5. Select #2, Client components, from the TCP/IP Configuration Menu: TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 2 6. Select #6, Telnet, from the TCP/IP Configuration Menu: TCP/IP Services for OpenVMS Client Components Configuration Menu Configuration options: 1 - FTP Enabled Stopped 2 - NFS Client Disabled Stopped 3 - REXEC and RSH Enabled Stopped 4 - RLOGIN Enabled Stopped 5 - SMTP Disabled Stopped 6 - TELNET Enabled Stopped 7 - DHCP Disabled Stopped 8 - Telnetsym Disabled Stopped A - Configure options 1 - 8 [E] - Exit menu Enter configuration option: 6 7. Select #3, Disable & Stop service on this node, from the TCP/IP Configuration Menu: TELNET configuration options: 1 - Disable service on this node 2 - Stop service on this node 3 - Disable & Stop service on this node [E] - Exit TELNET configuration Enter configuration option: 3 8. Select #1, Enable service on this node, from the TCP/IP Configuration Menu: TELNET configuration options: 1 - Enable service on this node 2 - Enable & Start service on this node [E] - Exit TELNET configuration Enter configuration option: 1 9. Select [E], Exit menu, from the TCP/IP Configuration Menu: Configuration options: 1 - FTP Enabled Started 2 - NFS Client Disabled Stopped 3 - REXEC and RSH Enabled Started 4 - RLOGIN Enabled Started 5 - SMTP Disabled Stopped 6 - TELNET Enabled Stopped 7 - DHCP Disabled Stopped 8 - Telnetsym Disabled Stopped A - Configure options 1 - 8 [E] - Exit menu Enter configuration option: E 10. Select #4, Optional components, from the TCP/IP Configuration Menu: TCP/IP Services for OpenVMS Configuration Menu Configuration options: 1 - Core environment 2 - Client components 3 - Server components 4 - Optional components 5 - Shutdown HP TCP/IP Services for OpenVMS 6 - Startup HP TCP/IP Services for OpenVMS 7 - Run tests A - Configure options 1 - 4 [E] - Exit configuration procedure Enter configuration option: 4 11. Select #4, Configure Kerberos Applications, from the TCP/IP Configuration Menu: TCP/IP Services for OpenVMS Optional Components Configuration Menu Configuration options: 1 - Configure PWIP Driver (for DECnet-Plus and PATHWORKS) 2 - Configure SRI QIO Interface (INET Driver) 3 - Set up Anonymous FTP Account and Directories 4 - Configure Kerberos Applications A - Configure options 1 - 4 [E] - Exit menu Enter configuration option: 4 12. Select #1, Add Kerberos for Telnet server, from the TCP/IP Configuration Menu: Kerberos Applications Configuration Menu TELNET Kerberos is defined in the TCPIP$SERVICE database. Configuration options: 1 - Add Kerberos for TELNET server 2 - Remove Kerberos for TELNET server [E] - Exit menu Enter configuration option: 1 13. Select Exit three times to exit from each submenu of the TCP/IP Configuration Menu. 14. When the systems asks if you want to start Telnet now, answer NO. The following services are enabled but not started: TELNET Start these services now? [N] NO You may start services individually with: @SYS$STARTUP:TCPIP$_STARTUP.COM 15. Manually start Telnet by entering the following command: $ @SYS$STARTUP:TCPIP$TELNET_STARTUP.COM %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET_SERVER.EXE installed %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$TELNET.EXE installed %TCPIP-I-INFO, logical names created %TCPIP-I-INFO, telnet service enabled %TCPIP-I-INFO, telnet (kerberos) service enabled %TCPIP-S-STARTDONE, TCPIP$TELNET startup completed 16. Start Kerberos by entering the following command: $ @SYS$STARTUP:KRB$STARTUP 17. Verify that the Kerberos Telnet (KTELNET) service is enabled by entering the following command: $ TPCIP SHOW SERV Service Port Proto Process Address State FTP 21 TCP TCPIP$FTP 0.0.0.0 Enabled KTELNET 2323 TCP TCPIP$TELNET 0.0.0.0 Enabled REXEC 512 TCP TCPIP$REXEC 0.0.0.0 Enabled RLOGIN 513 TCP not defined 0.0.0.0 Enabled RSH 514 TCP TCPIP$RSH 0.0.0.0 Enabled TELNET 23 TCP not defined 0.0.0.0 Enabled 18. Determine the TCP/IP host address for your node by entering the following command, where node1 is the node on which you want to run Telnet: $ TCPIP SHOW HOST NODE1 LOCAL database Host address Host name 1.2.3.4 node1, NODE1 19. Remove the host entry from the TCP/IP database using the TCP/IP host address, as follows: $ TCPIP SET NOHOST 1.2.3.4 LOCAL database Host address Host name 1.2.3.4 node1, NODE1 Remove? [N]: Y 20. Define the fully qualified host name (for example, node1.x.y.com) in lowercase within quotes. Then define an uppercase alias for the same hostname. Enter commands similar to the following: $ TCPIP SET HOST "node1.x.y.com"/addr=1.2.3.4 $ TCPIP SET HOST node1.x.y.com/alias="NODE1.X.Y.COM" $ TCPIP SHOW HOST node1 LOCAL database Host address Host name 1.2.3.4 node1.x.y.com, NODE1.X.Y.COM 21. An OpenVMS account and a corresponding Kerberos principal are required to use Kerberos Telnet. For each user, create a Kerberos principal that exactly matches (including case) its OpenVMS account name. Passwords do not need to match. You can use either DCL or UNIX-style commands to create the principal. The first example below shows the DCL commands. The second example shows the UNIX-style commands. DCL: $ KERBEROS/ADMIN KerberosAdmin> login "SYSTEM/admin" Enter password: KerberosAdmin> list principal K/M@NODE1.Y.COM kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM KerberosAdmin> create principal "USER1" Enter password for principal "USER1@NODE1.Y.COM": Re-enter password for principal "USER1@NODE1.Y.COM": Principal "USER1@NODE1.Y.COM" created. KerberosAdmin> list principal K/M@NODE1.Y.COM kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM USER1@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM kadmin/admin@NODE1.Y.COM kadmin/changepw@NODE1.Y.COM UNIX: $ kinit "SYSTEM/admin" Password for SYSTEM/admin@NODE1.Y.COM: $ kadmin Enter password: KADMIN: listprincs K/M@NODE1.Y.COM kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM KADMIN: addprinc "USER1" Enter password for principal "USER1@NODE1.Y.COM": Re-enter password for principal "USER1@NODE1.Y.COM": Principal "USER1@NODE1.Y.COM" created. KADMIN: listprincs K/M@NODE1.Y.COM kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM USER1@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM kadmin/admin@NODE1.Y.COM kadmin/changepw@NODE1.Y.COM 22. Create Kerberos host and Telnet principals. The Telnet principal is only needed in cases where that node is a Telnet server. Otherwise, only the host principal is needed (if the node is acting as a client). You can use either DCL or UNIX-style commands to create the host and Telnet principals. The first example below shows the DCL commands. The second example shows the UNIX-style commands. DCL: KerberosAdmin> create principal/random "host/node1.x.y.com@NODE1.Y.COM" Principal "host/node1.x.y.com@NODE1.Y.COM" created. KerberosAdmin> create principal/random "telnet/node1.x.y.com@NODE1.Y.COM" Principal "telnet/node1.x.y.com@NODE1.Y.COM" created. KerberosAdmin> list principal kadmin/history@NODE1.Y.COM USER1@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM kadmin/admin@NODE1.Y.COM kadmin/changepw@NODE1.Y.COM host/node1.x.y.com@NODE1.Y.COM telnet/node1.x.y.com@NODE1.Y.COM KerberosAdmin> create keytab "host/node1.x.y.com@NODE1.Y.COM" Entry for principal host/node1.x.y.com@NODE1.Y.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> create keytab "telnet/node1.x.y.com@NODE1.Y.COM" Entry for principal telnet/node1.x.y.com@NODE1.Y.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE=krb$root:[etc]krb5.keytab. KerberosAdmin> list keytab host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES-CBC-CRC) telnet/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES-CBC-CRC) KerberosAdmin> exit $ UNIX: KADMIN: addprinc -randkey "host/node1.x.y.com@NODE1.Y.COM" Principal "host/node1.x.y.com@NODE1.Y.COM" created. KADMIN: addprinc -randkey "telnet/node1.x.y.com@NODE1.Y.COM" Principal "telnet/node1.x.y.com@NODE1.Y.COM" created. KADMIN: listprincs K/M@NODE1.Y.COM kadmin/history@NODE1.Y.COM SYSTEM/admin@NODE1.Y.COM USER1@NODE1.Y.COM krbtgt/NODE1.Y.COM@NODE1.Y.COM KRBTSTADM/admin@NODE1.Y.COM kadmin/admin@NODE1.Y.COM kadmin/changepw@NODE1.Y.COM host/node1.x.y.com@NODE1.Y.COM telnet/node1.x.y.com@NODE1.Y.COM KADMIN: ktadd "host/node1.x.y.com@NODE1.Y.COM" KADMIN: ktadd "telnet/node1.x.y.com@NODE1.Y.COM" KADMIN: ktlist host/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES-CBC-CRC) telnet/node1.x.y.com@NODE1.Y.COM (kvno: 3, etype: DES-CBC-CRC) KADMIN: exit $ 23. Set up the Kerberos symbols, if you have not already done so. Add the following command to the SYS$MANAGER:SYLOGIN.COM file. $ @SYS$MANAGER:KRB$SYMBOLS The following steps should be performed by each user who will use Kerberos Telnet. 1. Log into the OpenVMS system. Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2 Username: user1 Password: 2. Perform a kinit with the principal name that matches the OpenVMS username. To do so, enter the following command at the DCL prompt each time you start a Kerberized application, such as HP TCP/IP Services for OpenVMS Telnet. You are then prompted for the password associated with the principal. (The -f denotes forwardable credentials.) $ kinit -f user1 password for user1@node1.y.com 3. Enter the TELNET/AUTH command specifying Kerberos port 2323 to start the TELNET session, as follows: $ TELNET/AUTH NODE1 2323 TELNET-I-TRYING, Trying ... 1.2.3.4 %TELNET-I-SESSION, Session 01, host node1, port 2323 -TELNET-I-ESCAPE, Escape character is ^] [ Kerberos V5 accepts you as ``user1.NODE1.Y.COM'' ] $ 4. Optionally, enter the TELNET/AUTH/FORW command specifying Kerberos port 2323 to forward credentials. (Note: Forwarding credentials to non-OpenVMS servers works properly, but there is currently a problem in forwarding credentials to OpenVMS servers. This will be corrected in a future HP TCP/IP Services for OpenVMS ECO kit.) $ TELNET/AUTH/FORW NODE1 2323 TELNET-I-TRYING, Trying ... 1.2.3.4 %TELNET-I-SESSION, Session 01, host node1, port 2323 -TELNET-I-ESCAPE, Escape character is ^] [Kerberos V5 accepts you as ``user1@NODE1.DEC.COM'' ] [ Kerberos V5 refuses authentication ] Release Notes ------------------------------------------------------------- - OVERLAY_KRB5KIT.COM file available (OpenVMS Version 7.3-1 only) If you plan to install Kerberos Version 2.0 for OpenVMS on OpenVMS Alpha Version 7.3-1, download the OVERLAY_KRB5KIT.COM. Executing this file installs Kerberos on your OpenVMS Alpha Version 7.3-1 system. For our DCE customers, OpenVMS recommends that if you have the DCE_030_SSRT3608 Version 1.0 patch kit installed on your Version 7.3-1 system, you should install the VMS731_PCSI-V0200 patch kit available from ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-1/VMS731_PCSI-V0200.PCSI-DCX_AXPEXE before you run OVERLAY_KRB5KIT.COM. If you have already installed Kerberos Version 2.0 on OpenVMS Alpha Version 7.3-1, be aware of the following issues. (Upgrading to OpenVMS Version 7.3-2 installs Kerberos Version 2.0 automatically and avoids these problems.) The newer OVERLAY_KRB5KIT.COM, updated on September 10, 2003, corrects the following problems in the OVERLAY_KRB5KIT.COM that is packaged with the Version 2.0 kit. o DCLTABLES image was installed in SYS$SPECIFIC:[SYSLIB] The newer OVERLAY_KRB5KIT.COM creates the new DCLTABLES image in SYS$COMMON:[SYSLIB]. The OVERLAY_KRB5KIT.COM from the Version 2.0 kit installed DCLTABLES in SYS$SPECIFIC:[SYSLIB], which can cause an installation problem (described in the next paragraph). The newer OVERLAY_KRB5KIT.COM also preserves the existing file protections on DCLTABLES. In the original OVERLAY_KRB5KIT.COM, if the standard default protection for DCLTABLES was in effect (WORLD=NO ACCESS), unprivileged users could not log in. If the protection in effect allows access and you subsequently installed and removed other products, different tables may be located on different nodes in the cluster. Restoring a common table can be difficult. o All files in the temporary directory were deleted when the installation completed The newer OVERLAY_KRB5KIT.COM no longer automatically deletes the files from the temporary directory you set up to install Kerberos. The Installation Guide instructs you to create a temporary directory for OVERLAY_KRB5KIT.COM. However, if you use the original OVERLAY_KRB5KIT.COM and you do not set up a temporary directory, be aware that all files in the directory you use are deleted when the installation completes. (If you want the newer OVERLAY_KRB5KIT.COM to delete all of the files in your temporary directory, uncomment the CLEAN_UP call in the command file or simply delete the files yourself.) o Files copied into SYS$SYSTEM and SYS$MANAGER were assigned the default directory and file protections of the user account running OVERLAY_KRB5KIT.COM If the user's default directory and file protections did not specify at least W:RE, then the Kerberos files were copied into their respective locations with no world access. This would prevent unprivileged users from using the Kerberos tools and libraries. The newer OVERLAY_KRB5KIT.COM procedure correctly uses COPY/PROTECTION=(W:RE) when copying files into SYS$SYSTEM and SYS$MANAGER. If you installed Kerberos on OpenVMS AlphaVersion 7.3-1 using the original OVERLAY_KRB5KIT.COM included with the Version 2.0 kit, change the protection on the following Kerberos files, as follows: $ SET FILE/PROT=W:RE SYS$MANAGER:KRB$*.COM $ SET FILE/PROT=W:RE SYS$SYSTEM:KRB$*.EXE $ SET FILE/PROT=W:RE SYS$LIBRARY:KRB$RTL*.EXE $ SET FILE/PROT=W:RE SYS$LIBRARY:GSS$RTL*.EXE - Remove Kerberos Version 1.0 layered product PCSI kit before upgrading to Version 2.0 If you have installed the PCSI (layered product) kit of Kerberos Version 1.0 for OpenVMS, you must use the PCSI utility to remove it before you upgrade to Kerberos Version 2.0. If you are running OpenVMS Alpha Version 7.3-1, Kerberos Version 1.0 was installed during the OpenVMS installation procedure. Do not use the PCSI utility to remove Kerberos Version 1.0. The OVERLAY_KRB5KIT.COM command procedure performs the upgrade properly. To remove the Kerberos Version 1.0 PCSI kit from OpenVMS Version 7.2-2 or 7.3, enter the PCSI command PRODUCT REMOVE KERBEROS. During the removal, you are asked if you want to remove the data and directories. (Data refers to the configuration data files along with the principal database, if one was created.) If you want to save this information for use later, respond "No" to the question. After the upgrade, the new Kerberos directories are located under SYSCOMMON in KERBEROS.DIR. New Kerberos data is either created during configuration or copied from the old Kerberos directories. If you removed a previously installed Kerberos PCSI kit and saved the data and directories, the data will be copied into the new directories automatically when Kerberos starts for the first time. To optionally save the log files, enter the following: $ RENAME/LOG SYS$COMMON:[SYSEXE.LOG]*.* KRB$ROOT:[LOG]*.*; - Building a Kerberos application When you build a Kerberos application, you must link your C application with a compile option of /POINTER_SIZE=LONG, because Kerberos on OpenVMS expects 64-bit pointers. The default Kerberos shareable libraries use 64-bit pointers. The example programs in SYS$COMMON:[SYSHLP.EXAMPLES.KERBEROS.GMAKE] show you how to build a Kerberos application on OpenVMS. To build an application using 32-bit pointers, omit the /POINTER_SIZE=LONG qualifier from your compile, and link against KRB$RTL32.EXE and GSS$RTL32.EXE instead of KRB$RTL.EXE and GSS$RTL.EXE. - Kerberos is not cluster-aware Kerberos for OpenVMS is not cluster-aware. Kerberos tickets are encoded with the originating node name as a security feature. A ticket-granting ticket (TGT), obtained from one node in a cluster, is valid only on the node from which the request was made. Further requests for tickets must originate from the same node where the ticket-granting-ticket request originated. Although the ticket cache is visible from other nodes in the cluster, the Kerberos KDC does not allow nodes other than the node encoded in the ticket to use the TGT. - Kerberos command lines entered are changed to upper case When you enter commands at the Kerberos prompt, the commands you enter are changed to uppercase unless they are enclosed in quotation marks. For portions of the command that contain lowercase letters like principal names and passwords, be sure to use quotation marks. This does not apply to password prompting. In the following example, smith was changed to uppercase because it was not enclosed in quotation marks. Kerberos> modify password smith /password="oldpassword" Password for "SMITH@REALM" changed. Kerberos> modify password smith Enter password for principal "SMITH": newpasswd Re-enter password for principal "SMITH": newpasswd change_password: password for "SMITH@REALM" changed. Kerberos> exit - Kerberos KDC Propagation Daemon on OpenVMS fails on slave KDC systems on OpenVMS The Kerberos KDC Propagation Daemon on OpenVMS unexpectedly fails on slave KDC systems on OpenVMS, causing scheduled KDC propagation to not update the slave's KDC database. Workaround: Set up the propagation daemon as a TCP/IP service. As a TCP/IP service, the daemon will run only when an update request is made to the slave KDC system from the master. The daemon will execute and then exit. To set up the service, manually enter the following commands or save and execute the commands in a .COM file. You need to run this setup procedure only once. $! $! Sets up Kerberos5 propagation daemon as TCP/IP service $! $ TCPIP SET SERVICE KRB5_PROP - /FILE=KRB$ROOT:[BIN]KRB$KPROPD.COM - /PORT=754 - /USER=SYSTEM - /PROCESS_NAME=KRB$KPROP - /LOG_OPTIONS=(FILE=SYS$MANAGER:KRB$KPROP.LOG,ALL) $! $ TCPIP ENABLE SERVICE KRB5_PROP $! $ TCPIP SHOW SERVICE/FULL KRB5_PROP $! $ EXIT - UNIX to OpenVMS file naming differences The MIT Kerberos documentation is written for a UNIX audience. When reading the Kerberos documentation, note the following differences between UNIX and OpenVMS: o File specification format The following example shows the differences in the file specification format of a lock file. In this example, the UNIX file specification /usr/local/var/krb5kdc/principal.kadm5.lock is equivalent to KRB$ROOT:[KRB5KDC]PRINCIPAL_KADM5_LOCK.;1 on OpenVMS. o Configuration file format The following examples show the differences in format of two configurarion files, krb5.conf and kdc.conf. The krb5.conf file on a UNIX system is as follows: [libdefaults] ticket_lifetime = 600 default_realm = ATHENA.MIT.EDU default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu:749 default_domain = mit.edu } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb 5lib.log The krb5.conf file on an OpenVMS system is as follows: [libdefaults] default_realm = NODE32.DEC.COM default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] NODE32.DEC.COM = { kdc = node32.zko.dec.com:88 admin_server = node32.zko.dec.com:749 default_domain = zko.dec.com } [domain_realm] .zko.dec.com = NODE32.DEC.COM zko.dec.com = NODE32.DEC.COM [logging] kdc = FILE=krb$root:[log]krb$krb5kdc.log admin_server = FILE=krb$root:[log]krb$kadmind.log default = FILE=krb$root:[log]krb5lib.log The kdc.conf file on a UNIX system is as follows: [kdcdefaults] kdc_ports = 88,750 [realms] ATHENA.MIT.EDU = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/local/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal } The krb5.conf file on an OpenVMS system is as follows: [kdcdefaults] kdc_ports = 750,88 clockskew = 5000 [realms] NODE32.DEC.COM = { database_name = krb$root:[krb5kdc]principal admin_keytab = krb$root:[krb5kdc]kadm5.keytab acl_file = krb$root:[krb5kdc]kadm5.acl key_stash_file = krb$root:[krb5kdc]_k5_NODE32_DEC_COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 } -- end of file --