Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Critical Host Compliance Information for Macintosh Systems Administrators

The following server solutions satisfy the requirements of the critical host policy.

Service

MacOS Version

Software

telnet

OS X, 10.1.2 or later

Either install the MIT Kerberos krb5 distribution from the Terminal window (console) using the Unix directions, or OS 10.2.x will include MIT's Kerberos distribution (still to be confirmed: server as well as client?). Check for security patches!

telnet

All pre-OS X 10.1.2 Macs

No Kerberos option is available for Kerberos5. No strong authentication option found.

https

Mac OS X

Apache is included in the distribution. We recommend upgrading to the latest version of Apache and OpenSSL.

Other servers with SSL such as WebStar

Order Thawte SSL/TLS Server Certificates to take advantage of Penn's bulk-purchase agreements.

https

MacOS 8.6 and higher

Other servers with SSLWebStar

Order Thawte SSL/TLS Server Certificates to take advantage of Penn's bulk-purchase agreements.

 

No other services are required to use strong authentication as per the Critical Host policy; however, some commonly used Mac services have a number of options to use strong authentication:

Service

MacOS Version

Software

In general

Mac OS X: 10.1.2 or later

Use standard Unix distribution and installation method.

For help with managing Mac users to PennKeys, also see how Macintosh Manager helps with Kerberos installations.

Don't let the MIT documentation confuse you: note that Kerberos for Macintosh 4.0 is only client software.

ftpd

MacOS 8.x (8.6 and up)

No strong authentication solution found. Secure FTP Wrapper may be of use if there is a Java 2 runtime for pre-OS X Macs.

ftpd

MacOS X

Use standard Unix distribution and installation method. The MIT documentation may confuse; note that Kerberos for Macintosh 4.0 is only client software.

pop

Pre-OS X

Untested: Pine's package apparently supports GSSAPI. See ftp://ftp.cac.washington.edu/pine/pine.tar.gz Could be client-only, not server, though.

imap

Pre-OS X

Untested: UW's imapd apparently supports GSSAPI. Could be client-only, not server, though.

SMTP

OS X 10.1.3 and up

Apple Mail Server with SMTP AUTH enabled

kadmin

 

OS X

Pre-OS X

Not available as part of Penn's client software. Instead:

Build from MIT source

Upgrade to OS X; then build from MIT source.

FileMaker Pro

Any

No strong authentication method found. The newly-released Version 6 still needs to be investigated.

Appleshare

Appleshare IP 6.3.3

Basic information about encryption and encryption with respect to e-mail

Authentication to Active Directory domains

 

Use Microsoft document.

Authentication to non-Active Directory domains, ie., WinNT.

OS 8.6 and up

Use Microsoft document.

References

MIT's main Mac Kerberos site

MIT OS X Kerberos FAQ

NetInfo (niutil) instructions for use with Kerberos. Use instead of the /etc/services change specified in the generic MIT kerberos instructions.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania