Issues with rsh and kerberos

Rick Stevens rstevens at vitalstream.com
Fri Feb 4 18:02:48 UTC 2005 

Waldher, Travis R wrote:
>>-----Original Message-----
>>From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>Sent: Thursday, February 03, 2005 12:05 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Issues with rsh and kerberos
>>
>>There's several things that may or may not be significant for you.  It
>>depends on how kerberos was set up.
>>
>>The easiest way to get a ticket is to do "kinit -f myusername".  If
> 
> you
> 
>>don't get an error, that means that the kerberos server on your
> 
> network
> 
>>gave you a ticket.  Your "rsh" should then work without the error.
> 
> You
> 
>>may need to do "rsh -F" to make sure your credentials get forwarded to
>>the server.
>>
>>If the "kinit -f" fails, try just "kinit myusername" (the "-f" means
>>that you want forwardable credentials which is only supported in
>>Kerberos V5 and later).  Then try the "rsh" again.  If the "rsh"
> 
> fails,
> 
>>try "rsh -F" (capital F) to forward your non-forwardable credentials.
>>
>>Note that before you end your session, you should "kdestroy" to
> 
> destroy
> 
>>any credentials you may have (even though they will expire
> 
> eventually).
> 
>>Most people that have to use Kerberos put a "kinit" command in their
>>shell's startup script (".bashrc", ".profile", etc.) and the
> 
> "kdestroy"
> 
>>in their logout script (".bash_logout", etc.).
>>
>>See "man kerberos" for more info.
> 
> 
> I just realized I committed a stupid.
> 
> I'm not running Kerberos in this environment.  Just NIS.  And NIS is not
> Kerberos, correct?

It depends.  NIS essentially supplements /etc/passwd, /etc/shadow and
/etc/group for login authentication.  It can also invoke the automounter
and such.  Kerberos is also an authentication mechanism, but it
supplants the need for things such as "~/.rhosts" files and such by
passing around secure credential tickets.

In other words, if rsh gets a valid Kerberos ticket, it knows that the
user has been authenticated previously and doesn't need to bother itself
with that.  Kerberos essentially allows you to authenticate once, then
use that authentication to access all of the various services IN THE
KERBEROS REALM without having to re-authenticate.

Can you use both?  Certainly!  Should you?  It depends on what you're
trying to accomplish.  It's very useful for single-point authentication
on a server farm, for instance.  The downside is that Kerberos doesn't
provide encryption (many people mistakenly think it does).  All
conversations between the systems using stuff such as rsh, rlogin, etc.
remain in plaintext, so the network still must be pretty secure.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-        "More hay, Trigger?" "No thanks, Roy, I'm stuffed!"         -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list