The secure rcmds are rlogin, rcp, rsh, telnet, and ftp. These commands are known collectively as the Standard AIX method. (This method refers to the authentication method used by AIX 4.3 and prior releases.) The additional methods provided are Kerberos Version 5 and Kerberos Version 4.
When using the Kerberos Version 5 authentication method, the client gets a Kerberos Version 5 ticket from the DCE security server or Kerberos server. The ticket is a portion of the user's current DCE or local credentials encrypted for the TCP/IP server with which they want to connect. The daemon on the TCP/IP server decrypts the ticket. This action allows the TCP/IP server to absolutely identify the user. If the DCE or local principal described in the ticket is allowed access to the operating system user's account, the connection proceeds. The secure rcmds support Kerberos clients and servers from both Kerberos Version 5 and DCE.
In addition to authenticating the client, Kerberos Version 5 forwards the current user's credentials to the TCP/IP server. If the credentials are marked as forwardable, the client sends them to the server as a Kerberos ticket-granting ticket (TGT). On the TCP/IP server side, if a user is communicating with a DCE security server, the daemon upgrades the TGT into full DCE credentials using the k5dcecreds command.
The ftp command uses a different authentication method than the other secure rcmds. It uses the GSSAPI security mechanism to pass the authentication between the ftp command and the ftpd daemon. Using the clear, safe, and private subcommands, the ftp client supports data encryption.
Between operating system clients and servers, the ftp command allows multiple byte transfers for encrypted data connections. The standards define only single byte transfers for encrypted data connections. When connected to third-party machines and using data encryption, the ftp command follows the single byte transfer limit.
For all of the secure rcmds, a system-level configuration mechanism determines which authentication methods are allowed for that system. The configuration controls both outgoing and incoming connections.
The authentication configuration consists of the libauthm.a library and the lsauthent and chauthent commands, that provide command line access to the get_auth_methods and set_auth_methods library routines.
The authentication method defines which method is used to authenticate a user across a network. The system supports the following authentication methods:
If more than one authentication method is configured and the first method fails to connect, the client attempts to authenticate using the next authentication method configured.
Authentication methods can be configured in any order. The only exception is that Standard AIX must be the final authentication method configured, because there is no fallback option. If Standard AIX is not a configured authentication method, password authentication is not attempted and any connection attempt using this method is rejected.
You can configure the system without any authentication methods. In this case, the machine refuses all connections from and to any machine using secure rcmds. Also, because Kerberos Version 4 is only supported with the rlogin, rsh, and rcp commands, a system configured to use only Kerberos Version 4 does not allow connections using telnet, ftp.
When using the Kerberos Version 5 authentication method, the TCP/IP client gets a service ticket encrypted for the TCP/IP server. When the server decrypts the ticket, it has a secure method of identifying the user (by DCE or local principal). However, the server still needs to determine if this DCE or local principal is allowed access to the local account. Mapping the DCE or local principal to the local operating system account is handled by a shared library, libvaliduser.a, which has a single subroutine, called kvalid_user. If a different method of mapping is preferred, the system administrator must provide an alternative for the libvaliduser.a library.
To use the secure rcmds, two DCE principals must exist for every network interface to which they can be connected. They are:
host/FullInterfaceName ftp/FullInterfaceName
where:
To use the secure rcmds, two local principals must exist for every network interface to which they can be connected. They are:
host/FullInterfaceName@Realmname ftp/FullInterfaceName@Realmname
where: