Install WAS CE V1.x on Linux

Learn to make use of the Kerberos authentication tickets in the day-to-day network services on IBM® AIX® V6 and discover how Kerberos can be useful in getting rid of the password hassles for network service logons. This is another method towards achieving single sign on (SSO) on an AIX system network.       Introduction The network applications in AIX (for instance, telnet, FTP, and r-commands like rlogin, rsh, rcp, and more) inherently support Kerberos authentication. All the administrators need to do is to install and configure Kerberos and configure AIX system (in turn its applications) to use that Kerberos setup for authentication. The Kerberos authentication means that once you have a valid Kerberos ticket (obtained by a manual /usr/krb5/bin/kinit or integrated login), the network applications can use this ticket as your authentication token and once authenticated successfully, you will be given access without being asked to enter your password. Basic configuration In order to enable Kerberos authentication, some common basic configuration is required on Kerberos front as well as on the AIX systems. Let's glance through them. Kerberos configuration Make one server machine the Kerberos master KDC (Key Distribution Center). This machine will be responsible for all the Kerberos-related tasks such as generating tickets, authenticating users, and more. Here the administrator needs to install and configure IBM Network attached storage (NAS) (preferably version 1.4.0.7 or latest) as a master KDC. All the other machines in your network (from where you are going to use telnet, FTP, or r-commands to log in), install, and configure IBM NAS as a client to the master KDC. These are the machines where the telnet / FTP daemons are running and from the clients you will be connecting to this machine. Install and configure IBM NAS as a client to the master KDC on these machines, too. For complete instructions on the IBM NAS server and client installation and configuration, please refer to the IBM NAS Version 1.4 Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD. For the examples in this article, I refer to an example Kerberos environment. The Figure 1shows that enviroment and the logical flow of information. Figure 1: An example showing Kerberized telnet in action   The following definitions are used throughout the article: Kerberos Administrator Name: admin/admin Kerberos Realm Name: ISL.IN.IBM.COM IBM NAS 1.4.0.7 Master KDC: Hostname: land.in.ibm.com Port: 88 OS: AIX 5.3 IBM NAS 1.4.0.7 Administration Server: Hostname: land.in.ibm.com Port: 749 OS: AIX 5.3 IBM NAS 1.4.0.7 Client: Hostname: fakir.in.ibm.com OS: AIX 6.1 Machine with telnet service running: Hostname: fsaix005.in.ibm.com Port: 23 OS: AIX 5.3 Machine with FTP service running: Hostname: fsaix005.in.ibm.com Port: 21 OS: AIX 5.3   Check and synchronize the time difference between all the machines; it should not be more than 5 minutes. To check the correctness of Kerberos configuration, use '/usr/krb5/bin/kinit admin/admin', followed by '/usr/krb5/bin/klist' and see if you are able to get the Kerberos ticket, and use '/usr/krb5/sbin/kadmin -p admin/admin' to check that everything (time difference and more) is correct. AIX authentication configuration In order to make sure that all the network applications try Kerberos authentication before the standard password-based authentication, the administrator needs to change the preference of the authentication method on all the AIX machines. The '/usr/bin/lsauthent' command shows the current authentication mode preference. bash-2.05b# /usr/bin/lsauthent Standard Aix    To change the authentication mode preference, use the '/usr/bin/chauthent' command. bash-2.05b# /usr/bin/chauthent -k5 -std    Now, '/usr/bin/lsauthent' would show something like this: bash-2.05b# /usr/bin/lsauthent Kerberos 5 Standard Aix    Be sure to keep the standard password-based authentication method (-std above), as a fallback authentication method, or else you will not be able to log in to the system if the proper Kerberos login is not enabled. Configuring Kerberos for telnet service In the Kerberos environment, each Kerberos service is represented by a service principal. This service principal is nothing but a normal Kerberos principal, who holds the key to decrypt the response sent by the Kerberos server. For telnet service as well, you will need to create a telnet service principal and perform some configuration steps on the telnet server. Use the following step-by-step process to configure Kerberos for telnet service. If you have already configured the Kerberos client using the AIX 'mkkrb5clnt' command, then you do not need to do steps 1 and 2. The 'mkkrb5clnt' command created a host service principal and stored it in /var/krb5/security/keytab/<hostname>.keytab file. Link this file to the default keytab file /etc/krb5/krb5.keytab. On the machine where the telnet service is running (fsaix005.in.ibm.com), create the telnet service principal by the name 'host/<FQDN_telnetd_hostname>'. For us, it will be 'host/fsaix005.in.ibm.com'. Using the Fully Qualified Domain Name (FQDN) is very vital for this setup to work. bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: addprinc -randkey host/fsaix005.in.ibm.com WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.   Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab). kadmin: ktadd host/fsaix005.in.ibm.com Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: q bash-2.05b#   If you are not able to do 'kadmin' for some reason, then create the service principal on KDC and add to the keytab file (/etc/krb5/krb5.keytab) and transfer this keytab file to the machine where telnetd is running (fsaix005.in.ibm.com, for us). On the telnet service machine (fsaix005.in.ibm.com), run '/usr/krb5/bin/klist -k' and check the entries. bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# /usr/krb5/bin/klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------- 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#   On the telnet service machine (fsaix005.in.ibm.com), create a new user 'vipin' using which you will telnet to fsaix005. Change the password of this user. bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# mkuser -R files vipin bash-2.05b# passwd vipin Changing password for "vipin" vipin's New password: Enter the new password again: bash-2.05b#   Create a Kerberos principal with the same name 'vipin'. This can be done from any machine (either the master KDC or client) in the Kerberos realm. bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: ank -pw vipin vipin WARNING: no policy specified for vipin@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "vipin@ISL.IN.IBM.COM" created. kadmin: q bash-2.05b#   Go to the any other client machine (fakir.in.ibm.com) on which the Kerberos client is configured. Run '/usr/krb5/bin/kinit vipin' to get the initial Kerberos ticket, as shown below: bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b#   Try to telnet to the telnetd machine (fsaix005.in.ibm.com). If everything goes fine, you will not be asked to enter the password and you will be logged in as user "vipin". Here is how: bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# telnet -l vipin fsaix005.in.ibm.com Trying... Connected to fsaix005.in.ibm.com. Escape character is '^]'. [ Kerberos V5 accepts you as ``vipin@ISL.IN.IBM.COM'' ] telnet (fsaix005.in.ibm.com) ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* Last unsuccessful login: Wed Feb 13 11:50:40 CST 2008 on /dev/pts/2 from land.in.ibm.com Last login: Fri Feb 15 12:49:06 CST 2008 on /dev/pts/3 from aixdce8.in.ibm.com $ hostname fsaix005.in.ibm.com $ id uid=237(vipin) gid=1(staff) $ exit Connection closed bash-2.05b# hostname fakir.in.ibm.com bash-2.05b#   That’s all it takes to do the kerberized telnet! Please note the additional option (in the highlighted text above) while issuing the telnet command. If you want to check whether you actually got the ticket for the telnet service principal or not, run ‘/usr/krb5/bin/klist’ on the client and see the output. You should see something like this: bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 02/16/08 04:32:56 02/17/08 04:31:39 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#     Configuring Kerberos for FTP service Similar to telnet service, you can also configure FTP service to accept and use Kerberos authentication. Use the following step-by-step procedure to achieve this: Create an FTP service principal. This time the name of FTP service principal would be ‘ftp/<FQDN_ftpd_hostname>’. So for us, it will be something like ‘ftp/fsaix005.in.ibm.com’. Create the principal: bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin@ISL.IN.IBM.COM: kadmin: ank -randkey ftp/fsaix005.in.ibm.com WARNING: no policy specified for ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.   Now add this principal entry to the keytab file (/etc/krb5/krb5.keytab). kadmin: ktadd ftp/fsaix005.in.ibm.com Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: q bash-2.05b#   On the FTP service machine (fsaix005.in.ibm.com), run '/usr/krb5/bin/klist -k' and check the entries in the keytab file. This time it should look something like this: bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# /usr/krb5/bin/klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------- 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM 3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#   The next step is to get the initial Kerberos ticket. Since we already have a Kerberos user called 'vipin', we will be using this principal to get the initial Kerberos ticket by using the '/usr/krb5/bin/kinit' command. bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:47:46 02/17/08 04:47:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b#   Once we have a valid ticket, we are all set now to do the kerberized FTP. bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# ftp fsaix005.in.ibm.com Connected to fsaix005.in.ibm.com. 220 fsaix005.in.ibm.com FTP server (Version 4.2 Sat Jun 16 07:20:05 CDT 2007) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (fsaix005.in.ibm.com:root): vipin 232 GSSAPI user vipin@ISL.IN.IBM.COM is authorized as vipin ftp> ftp> bye 221 Goodbye. bash-2.05b#   To cross-check the kerberized FTP success, you can close the FTP session and do ‘/usr/krb5/bin/klist’ to see the additional ticket of our FTP service principal. bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 02/16/08 04:47:46 02/17/08 04:47:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 02/16/08 04:49:20 02/17/08 04:49:19 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#        Configuring Kerberos for r-commands The AIX r-commands (such as rlogin, rsh, and rcp) also support Kerberos authentication. We are going to take a look at how these commands can make use of a Kerberos ticket to allow us to do our stuff seamlessly. The Kerberos service principal for all r-commands is going to be 'host/<FQDN_service_hostname>' again, which is the same as the telnet service principal. So, if you have configured the kerberized telnet authentication, then you do not need to do any more configuration steps. Just get the initial Kerberos ticket and fire the r-commands. For example: Example showing Kerberos authentication in 'rlogin’   bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:54:26 04/22/08 08:54:25 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# rlogin fsaix005.in.ibm.com -l vipin ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101 Last login: Mon Apr 21 08:01:29 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com $ hostname fsaix005.in.ibm.com $ exit Connection closed. bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:54:26 04/22/08 08:54:25 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 04/21/08 08:54:49 04/22/08 08:54:25 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM bash-2.05b#    Example showing Kerberos authentication in 'rsh’ We can also do the Kerberos authentication in ‘rsh’ the same way as the rlogin. bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:58:08 04/22/08 08:58:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b# rsh fsaix005.in.ibm.com -l vipin ******************************************************************************* * * * * * Welcome to AIX Version 5.3! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* Last unsuccessful login: Mon Apr 21 07:55:42 CDT 2008 on /dev/pts/1 from 9.182.185.101 Last login: Mon Apr 21 08:54:58 CDT 2008 on /dev/pts/1 from fakir.in.ibm.com $ hostname fsaix005.in.ibm.com $ exit Connection closed. bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 08:58:08 04/22/08 08:58:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM 04/21/08 08:58:33 04/22/08 08:58:39 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM    Example showing Kerberos authentication in 'rcp’ This example copies a file from one machine (fakir.in.ibm.com) to another remote machine (fsaix005.in.ibm.com) using a Kerberos authentication. Here is the file on fakir.in.ibm.com that we want to transfer: bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# ls -l /home/vipin/progs/try.c -rw-r--r-- 1 root system 200 Feb 14 03:55 home/vipin/progs/try.c bash-2.05b#   Copy this file to fsaix005.in.ibm.com at the /home/vipin directory. The current contents of /home/vipin on fsaix005.in.ibm.com are: bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# ls -l /home/vipin/t* ls: 0653-341 The file /home/vipin/t* does not exist. bash-2.05b#   Run the Kerberos authentication and get the initial Kerberos ticket on fakir.in.ibm.com. bash-2.05b# hostname fakir.in.ibm.com bash-2.05b# /usr/krb5/bin/kinit vipin Password for vipin@ISL.IN.IBM.COM: bash-2.05b# /usr/krb5/bin/klist Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: vipin@ISL.IN.IBM.COM Valid starting Expires Service principal 04/21/08 09:20:13 04/22/08 09:20:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM bash-2.05b#   Once we have a valid ticket, we can run the ‘rcp’ command: bash-2.05b# rcp /home/vipin/progs/try.c vipin@fsaix005.in.ibm.com:/home/vipin bash-2.05b#   Please pay attention to how we pass the user name for fsaix005.in.ibm.com. We also passing the destination directory on fsaix005.in.ibm.com. It’s important to remember that the destination directory needs to be writable by the user. And on fsaix005.in.ibm.com, we can cross-check the file copy operation like this: bash-2.05b# hostname fsaix005.in.ibm.com bash-2.05b# ls -l /home/vipin/t* -rw-r--r-- 1 vipin staff 200 Apr 21 09:21 /home/vipin/try.c bash-2.05b#   Note the user ACLs of the newly copied file.     Commonly encountered kerberized telnet errors and mistakes   Error Solution Kerberos V5 refuses authentication because admin/admin@ISL.IN.IBM.COM is not authorized to log in to the specified account. The initial Kerberos ticket was created using 'admin/admin,' not your normal username ('vipin,' in this example). Run '/usr/krb5/bin/kdestroy' to destroy the earlier Kerberos ticket and use '/usr/krb5/bin/kinit <username>' to get the correct ticket and retry. Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed. There is a mismatch in the key version number of the service principal. Delete the service principal (using 'delprinc' kadmin command'), and remove it from the keytab file (using 'ktrem' kadmin command). Again re-create a fresh service principal and add it to the keytab file and retry. Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Generic RC I/O error. On the telnet server, create a directory called "/var/tmp" if it is not already present. This should solve the problem.     Conclusion This article demonstrated how to make use of the Kerberos authentication mechanism in the AIX network applications like telnet, FTP, and r-commands, which have support for Kerberos.