Critical Host Compliance Information for UNIX Systems Administrators

General Information

Administration differences when using Kerberos

Instructions for bringing particular services into compliance

The following server software satisfy the requirements of the critical host policy.

First, these are a given for any of the software in the grid below:

Time sync software. Kerberos needs each server and client to agree on the time. Most modern systems come with time syncronization software which simply need configuration to use Penn's time servers, but it open-source packages are freely available.

The base Kerberos Distribution. Penn uses MIT Kerberos Version 5.

Service	Software
telnet, ftp	Install using instructions on Installing Kerberized Telnet and FTP,
https	A commonly-used solution is the Apache webserver (http://www.apache.org) and the accompanying mod_ssl module Netscape Server with SSL is another option Regardless of server, you must obtain and install a host certificate from a certificate authority such as Thawte.
imap, pop	Installing Kerberized POP and IMAP services with Kerberos. Without Kerberos, Installing POP and IMAP services with SSL
SMTP	Install the Cyrus SASL library using our installation hints. Next, recompile `sendmail` to use SASL. See Installing Kerberized SMTP services. Other packages: qmail ( www.qmail.org), perhaps with a modified checkpassword program such as radcheckpassword which authenticates using RADIUS; or Postfix (www.postfix.org) . Also, see http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html for a comparison grid for SMTP authentication.

No other services are required to use strong authentication by the Critical Host policy, however, some commonly used UNIX services offer options to use strong authentication. For example:

Service	Software
sshd	See the OpenSSH home page, http://www.openssh.org/. Ensure your copy is not one of the trojaned releases.



Information Systems and Computing University of Pennsylvania Comments & Questions