HP Open Source Security for OpenVMS, Volume 3 Kerberos

This document, "HP Open Source Security for OpenVMS Volume 3: Kerberos," is a technical manual published in July 2006. It describes how to install, configure, and use Kerberos Version 3.0 for OpenVMS, which is based on MIT Kerberos V5 Release 1.4.1. The information applies to OpenVMS I64 Version 8.2 or higher and OpenVMS Alpha Version 7.3-2 or higher, superseding an earlier Version 8.2 manual.

Key Information:

• Purpose: To provide strong authentication for client/server applications over insecure network connections using secret-key cryptography, including privacy and data integrity.
• Target Audience: Application developers implementing the Kerberos protocol on OpenVMS.

• Core Concepts:

  • Kerberos: A network authentication protocol for verifying identities of "principals" (users/hosts) in an administrative domain called a "realm."
  • Key Distribution Center (KDC): The central server responsible for authentication and issuing "tickets" (credentials). It consists of the Authentication Service and the Ticket-Granting Service.
  • Tickets (Credentials): Electronic information used to verify identity, including an initial Ticket-Granting Ticket (TGT) for obtaining service-specific tickets.
  • Security Limitations: Kerberos does not address denial-of-service attacks, requires secret keys to remain secret, and doesn't inherently solve password-guessing issues.

• Installation and Configuration:

  • Prerequisites: Requires HP OpenVMS (specific versions listed above) and HP TCP/IP Services (specific versions).
  • Process: Involves configuring hostname to a Fully Qualified Domain Name (FQDN), installing the Kerberos kit (available on OpenVMS v8.3 media or via download for earlier versions), running configuration procedures (KRB$CONFIGURE), and starting Kerberos services (KRB$STARTUP).
  • Integration: Detailed steps are provided for configuring Kerberos with OpenVMS Telnet and OpenVMS SSH, including creating user and host principals and keytabs.
  • Kerberos ACME Agent: Introduces pre-production images for an ACME agent that integrates Kerberos credential acquisition into the OpenVMS login process, authenticating against the KDC database instead of the User Authorization File (UAF).

• Client and Administrative Programs: Describes various utility programs:

  • User Client Programs: kinit (obtain tickets), klist (display tickets), kdestroy (delete tickets), kpasswd (change password).
  • Administrative Programs: kadmin/kadmin_local (administer database), kdb5_util (create/destroy/dump/load database), ktutil (edit keytab entries), kprop (propagate KDC database to slave KDCs).

• Programming Concepts:

  • Provides an overview of building Kerberos applications on OpenVMS, including compilation (using specific include qualifiers) and linking (using shareable libraries in 64-bit and 32-bit formats).
  • Includes descriptions of DCL and GMAKE example programs (GSSAPI and KRB5 API examples) to demonstrate client/server authentication and secure communication.

• API Reference: Contains detailed C language binding documentation for:

  • GSSAPI (Generic Security Services Application Programming Interface): Provides security services for authentication, delegation, confidentiality, and integrity.
  • KRB5 (Kerberos V5) Application Programming Interface: Core Kerberos API routines, including a list of obsolete APIs and their replacements.

• Open Source Notices: Acknowledges the contributions of MIT and Project Athena to Kerberos, and includes copyright notices from MIT, OpenVision Technologies, Inc., and the University of California at Berkeley, detailing terms of use, redistribution, and disclaimers.