Network security concerns are becoming increasingly important
to the computer system user. The purpose of the Secure Internet
Services is to allow the user greater security when running these
services.
When an Internet Services client connects to the server daemon,
the server daemon requests authentication. The Secure Internet Services authenticate,
or in other words validate, the identity of the client and server
to each other in a secure way. Also, with the Secure Internet Services,
users are authorized to access an account on a remote system by
the transmission of encrypted tickets rather than by using the traditional
password mechanism. The traditional password mechanism, used with
non-secure Internet Services, sends the password in a readable form
(unencrypted) over the network. This creates a security risk from
intruders who may be listening over the network.
The Secure Internet Services are meant as replacements for
their non-secure counterparts. The main benefit of running the Secure Internet
Services is that user authorization no longer requires transmitting
a password in a readable form over the network. Authorization is
the process in which servers verify what access remote users should
have on the local system.
The Secure Internet Services may only be used in conjunction
with software products that provide a Kerberos V5 Network Authentication Services
environment (for example, the HP DCE Security Service or the Praesidium/Security
Service). The network authentication mechanism ensures that the
local and remote hosts are mutually identified to each other in
a secure and trusted manner and that the user is authorized to access
the remote account.
For ftp/ftpd, rlogin/rlogind, and telnet/telnetd, the Kerberos V5 authentication involves sending
encrypted tickets instead of a readable password over the network
to verify and identify the user. Although rcp/remshd and remsh/remshd (used with a command) do not prompt for a password,
using these services with the Kerberos V5 authentication provided
when the Secure Internet Services mechanism enabled ensures that
the user is authorized to access the remote account. (If remsh is used with no command specified, rlogin/rlogind is invoked.)
If any of the Secure Internet Services are installed in an
environment where some of the remote systems on the network are
running without the Secure Internet Services mechanism enabled,
you can use a special command line option to bypass Kerberos authentication
to access those remote systems. However, if a password is required
to access the system, the password is sent in a readable form over
the network. See “Bypassing and Enforcing Kerberos Authentication” for more information.
 |
| |
|
 | CAUTION: None of the Secure Internet Services encrypts the
session beyond what is necessary to authorize the user or authenticate
the service. So, these services do not provide integrity-checking
or encryption services on the data or on remote sessions. |
|
| |
|
