Installing Kerberized TELNET and FTP Service (UNIX)
This document describes how to install on Penn UNIX servers the
Kerberos 5 authenticated TELNET and FTP services that come with MIT's
Kerberos V5 distribution.
Before installing Kerberized Telnet and FTP services, install the
V5 distribution. For installation instructions, refer
Installing the MIT Kerberos V5 Distribution.
Kerberized TELNET and FTP programs are part of that
distribution, so this document describes how to configure them
Create service keys for TELNET and FTP
If the server's DNS hostname is "machine.dept.upenn.edu", create the
following principals and their corresponding service keys:
host/machine.dept.upenn.edu (used by TELNET, RLOGIN, RSH)
ftp/machine.dept.upenn.edu (used by FTP)
Next, extract the keytabs entries for these principals into
the local keytab file (
/etc/krb5.keytab). Directions for doing
kadmin follow. You or someone from your school
or center will need the corresponding KAdmin PennKey for this step.
looks like "
PennName/kadmin-dept.upenn.edu"; for example,
, use the "
addprinc" command to
generate a Service PennKey with a random, machine-created passphrase.
Next, use the "
ktadd" command to extract each PennKey into the
- Run "kadmin" (/usr/local/sbin/kadmin) and enter password:
kadmin -p username/kadmin-dept.upenn.edu
[you will be prompted for your password here]
- At the kadmin prompt (>), use the "
command to create Service PennKeys:
> addprinc -randkey +requires_preauth host/machine.dept.upenn.edu
> addprinc -randkey +requires_preauth ftp/machine.dept.upenn.edu
- Issue the command, ktadd, to extract the encryption keys for the
service principals into the systems key table:
> ktadd host/machine.dept.upenn.edu ftp/machine.dept.upenn.edu
Add TELNET and FTP entries to
- Add entries to
for Kerberized FTP and TELNET service:
If it is necessary to allow non-Kerberized authentication also, the following
entries should be used instead:
ftp stream tcp nowait root /usr/local/sbin/ftpd ftpd -a
telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a valid
ftp stream tcp nowait root /usr/local/sbin/ftpd ftpd
telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a none
If you use firewalls, tcp-wrappers or other restrictions on access,
be sure to modify firewall or tcp-wrappers rules to allow the new
- Restart "
inetd" using the appropriate procedure
for the system. On most
machines this involves sending the SIGHUP signal to the inetd process.