"Bacon, Benjamin" wrote:
> I was wondering if anyone has implemented a DCE security environment with
> Net View? I am looking for the capability to use the same user and password
> for the actual AIX login and for Net View Security. I would like to know
> the NV requirements for implementing DCE? Is three any documentation that I
> could be referred to? How much configuration and maintenance is required
> for the DCE/NV environment?
> Benjamin Bacon
We did at IBM Austin, when I worked there. It was NV V4.0. Actually,
we were also running V3.0 of the Tivoli Framework, too. (Just for
completeness it was the AIX 4.1.3 days with DCE 2.1). Actually, we had
a setup where all non-admin users were going to both AFS/Kerb4 and DCE.
If you enable the DCE login, NetView (or any other application) should
not be able to distinguish it from using /etc/passwd, since it's hooked
at the system call level.
However, there are some caveats:
- You do not get ticket or token passing without going out and getting
replacements for the things like rsh, or rexec, and similar
- If DFS is involved there's an additional set of complications.
But most importantly, alot of applications like telnet, ftp, dtlogin,
Windows in general, and even Web Servers in general (that aren't using
SSL) will not protect your Kerberos password from clear text
transmission. The problem in general is that alot of these applications
compromise Kerberos in exactly the area it was supposed to protect
against. Primarily because the link between the input devices and the
Kerberos client is NOT secure.
If you're using DCE for the Single Sign-on aspect, OK. But be careful,
if you're assuming you're getting the normal security of Kerberos
without doing a lot of additional work.
Description: Card for Chris Cowan