Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Installing Kerberized TELNET and FTP Service (UNIX)

This document describes how to install on Penn UNIX servers the Kerberos 5 authenticated TELNET and FTP services that come with MIT's Kerberos V5 distribution.


Before installing Kerberized Telnet and FTP services, install the MIT Kerberos V5 distribution. For installation instructions, refer to Installing the MIT Kerberos V5 Distribution. Kerberized TELNET and FTP programs are part of that distribution, so this document describes how to configure them for use.

Create service keys for TELNET and FTP

If the server's DNS hostname is "", create the following principals and their corresponding service keys:

host/        (used by TELNET, RLOGIN, RSH)
ftp/         (used by FTP)

Next, extract the keytabs entries for these principals into the local keytab file (/etc/krb5.keytab). Directions for doing this with kadmin follow. You or someone from your school or center will need the corresponding KAdmin PennKey for this step. This PennKey looks like "PennName/"; for example, smith/

Within kadmin, use the "addprinc" command to generate a Service PennKey with a random, machine-created passphrase. Next, use the "ktadd" command to extract each PennKey into the keytab file.

  1. Run "kadmin" (/usr/local/sbin/kadmin) and enter password:
    kadmin -p username/ [you will be prompted for your password here]
  2. At the kadmin prompt (>), use the "addprinc" command to create Service PennKeys:
    > addprinc -randkey +requires_preauth host/ > addprinc -randkey +requires_preauth ftp/
  3. Issue the command, ktadd, to extract the encryption keys for the service principals into the systems key table:
    > ktadd host/ ftp/

Add TELNET and FTP entries to /etc/inetd.conf

  1. Add entries to /etc/inetd.conf for Kerberized FTP and TELNET service:
    ftp stream tcp nowait root /usr/local/sbin/ftpd ftpd -a telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a valid
    If it is necessary to allow non-Kerberized authentication also, the following entries should be used instead:
    ftp stream tcp nowait root /usr/local/sbin/ftpd ftpd telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a none
  2. If you use firewalls, tcp-wrappers or other restrictions on access, be sure to modify firewall or tcp-wrappers rules to allow the new services.

  3. Restart "inetd" using the appropriate procedure for the system. On most machines this involves sending the SIGHUP signal to the inetd process.


Information Systems and Computing
University of Pennsylvania
Comments & Questions

University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania