
Kerberos Version 1.0 for OpenVMS Alpha and OpenVMS VAX Security Client

Installation Guide and Release Notes

Kerberos Version 1.0 for OpenVMS, 
based on MIT Kerberos V5 Release 1.0.5


Contents  

Overview
Prerequisites
Documentation
Installation
Sample installation log
Release notes


Overview

Kerberos Version 1.0 for OpenVMS Security Client, based on MIT
Kerberos V5 Release 1.0.5, is now available on OpenVMS Alpha and
OpenVMS VAX. 

Kerberos is a network authentication protocol designed to provide
strong authentication for client/server applications by using
secret-key cryptography. 

Kerberos was created by the Massachusetts Institute of Technology as a
solution to network security problems. The Kerberos protocol uses
strong cryptography so that a client can prove its identity to a
server (and vice versa) across an insecure network connection. After a
client and server have used Kerberos to prove their identity, they can
also encrypt all of their communications to assure privacy and data
integrity. 

Kerberos is freely available from MIT, under a copyright permission
notice. Kerberos for OpenVMS is supplied by Compaq Computer
Corporation under the terms of the license from the Massachusetts
Institute of Technology. For more information on the Kerberos license,
please see http://web.mit.edu/kerberos/www/. 


Prerequisites

Compaq Computer Corporation supports the following configuration: 

Operating System 

OpenVMS Alpha or OpenVMS VAX Version 7.1 or later. 

TCP/IP Transport 

Compaq TCP/IP Services for OpenVMS Version 5.0 or higher. 

Compaq supports Compaq TCP/IP Services for OpenVMS, and is actively 
working with third-party TCP/IP vendors to test Kerberos on other 
TCP/IP implementations. 


Documentation

The Kerberos for OpenVMS Installation Guide and Release Notes (this 
document) contain OpenVMS-specific information about installing the 
kit, release notes, and known problems. 

General information about Kerberos is available at 
http://web.mit.edu/kerberos/www/. 

The following Kerberos documentation is available from the OpenVMS
documentation CD-ROM. This is the documentation that is included in
the MIT distribution and is not specific to OpenVMS. 

Kerberos V5 Installation Guide
Kerberos V5 User's Guide
Kerberos V5 System Administrator's Gui
Upgrading to Kerberos V5 from Kerberos V4 


Installation

To install the Kerberos kit, perform the following steps from a 
privileged OpenVMS username (for example, SYSTEM). 

1.  Set default to the directory where the kit resides. 
The kit name is CPQ-ALPVMS-KERBEROS-V0100--1.PCSI.

2.  Enter the following command.  The /HELP qualifier gives additional 
information. 

    $ PRODUCT INSTALL KERBEROS
 
3.  Insert the following line into SYS$MANAGER:SYSTARTUP_VMS.COM. This 
line must be entered after the startup command for Compaq TCP/IP 
Services for OpenVMS. (If you start Compaq TCP/IP Services for OpenVMS 
as a batch job, be sure that TCP/IP has started before you start 
Kerberos.) 
 
    $ @SYS$STARTUP:KRB$STARTUP.COM

4.  Insert the following line in SYS$MANAGER:SYSHUTDWN.COM. 

    $ @SYS$STARTUP:KRB$SHUTDOWN.COM

5.  Add the following line to your SYLOGIN command procedure, or into the 
LOGIN.COM of each user who wants to use Kerberos. 

    $ @SYS$MANAGER:KRB$SYMBOLS

6.  After the installation is complete, run the following command 
procedure to configure the Kerberos clients and servers. 

    $ @SYS$STARTUP:KRB$CONFIGURE.COM

7.  Read the Kerberos V5 Installation Guide for additional setup and 
configuration information. 


Sample Installation on an Alpha System

Username: system
Password: 

     Last interactive login on Monday, MARCH 5, 2001 11:12 AM
    Last non-interactive login on Thursday, MARCH 1, 2001 02:30 PM

Executing SYS$COMMON:[SYSMGR]SYSTARTUP_SYSSYMBOLS.COM;8
 
$ product install kerberos
 
   1 - CPQ ALPVMS KERBEROS V1.0            Layered Product
   2 - Exit
 
Choose one or more items from the menu separated by commas: 1
 
The following product has been selected:
    CPQ ALPVMS KERBEROS V1.0               Layered Product
 
Do you want to continue? [YES] <CR>
 
Configuration phase starting ...
 
You will be asked to choose options, if any, for each selected product
and for any products that may be installed to satisfy software
dependency requirements. 
 
CPQ ALPVMS KERBEROS V1.0 
 
Do you want the defaults for all options? [YES] <CR>
 
Do you want to review the options? [NO] <CR>
 
Execution phase starting ...

The following product will be installed to destination:
    CPQ ALPVMS KERBEROS V1.0       DISK$ALPHASYS:[VMS$COMMON.]

Portion done: 
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

The following product has been installed:
    CPQ ALPVMS KERBEROS V1.0               Layered Product

%PCSI-I-IVPEXECUTE, test procedure executing ...
%PCSI-I-IVPSUCCESS, test procedure completed successfully
 
CPQ ALPVMS KERBEROS V1.0
 
    Insert the following lines in SYS$MANAGER:SYSTARTUP_VMS.COM:
        @SYS$STARTUP:KRB$STARTUP.COM
    Insert the following lines in SYS$MANAGER:SYSHUTDWN.COM:
        @SYS$STARTUP:KRB$SHUTDOWN.COM
 
Users of this product require the following lines in their login 
command procedure:

        $ @SYS$MANAGER:KRB$SYMBOLS
 
    Configure the OpenVMS Kerberos clients & servers 
 
    Please take the time to run the following command after the 
installation:
    
        @SYS$STARTUP:KRB$CONFIGURE.COM
    
    The Kerberos 5 V1.0 documentation has been provided as it was received 
from MIT.  This documentation may differ slightly from the OpenVMS 
Kerberos implementation since it still assumes a Unix environment. The
documents are: 
    
        KRB$ROOT:[DOC]IMPLEMENT.PDF
        KRB$ROOT:[DOC]LIBRARY.PDF
        KRB$ROOT:[DOC]ADMIN-GUIDE.PS
        KRB$ROOT:[DOC]INSTALL-GUIDE.PS
        KRB$ROOT:[DOC]KRB425-GUIDE.PS
        KRB$ROOT:[DOC]USER-GUIDE.PS
    
$ logout
  SYSTEM       logged out at MARCH 6, 2001 11:15 AM


Sample Configuration on an Alpha System

$  @SYS$STARTUP:KRB$CONFIGURE.COM

  Kerberos V1.0 for OpenVMS Configuration Menu

  Configuration options:

           1  -  Setup Client configuration
           2  -  Edit Client configuration

           3  -  Setup Server configuration
           4  -  Edit Server configuration

           5  -  Shutdown Servers
           6  -  Startup Servers

           E  -  Exit configuration procedure

  Enter Option: 1

Where will the OpenVMS Kerberos 5 V1.0 KDC be running [ <node> ]: <CR>
What is the OpenVMS Kerberos 5 V1.0 default domain [ <domain> ]: <CR>
What is the OpenVMS Kerberos 5 V1.0 Realm name [ <realm> ]: <CR>

Press Return to continue ...


  Kerberos V1.0 for OpenVMS Configuration Menu

  Configuration options:

           1  -  Setup Client configuration
           2  -  Edit Client configuration

           3  -  Setup Server configuration
           4  -  Edit Server configuration

           5  -  Shutdown Servers
           6  -  Startup Servers

           E  -  Exit configuration procedure

  Enter Option: 3

Where will the OpenVMS Kerberos 5 V1.0 KDC be running [ <node> ]: <CR>
What is the OpenVMS Kerberos 5 V1.0 default domain [ <realm> ]: <CR>
What is the OpenVMS Kerberos 5 V1.0 Realm name [ <realm> ]: <CR>
The type of roles the KDC can perform are:
    NO_KDC     -- where the KDC will not be run
    SINGLE_KDC -- where the KDC is the only one in the realm
    MASTER_KDC -- where the KDC is the master of 1 or more other KDCs
    SLAVE_KDC  -- where the KDC is slave to another KDC
What will be the KDC's role on this node [ NO_KDC ]: MASTER

Create the OpenVMS Kerberos 5 V1.0 database [ Y ]: <CR>

Creating OpenVMS Kerberos 5 V1.0 database ...

Initializing database 'krb$root:[krb5kdc]principal' for realm '<realm>',
master key name 'K/M@<realm>'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: <MASTER_KEY>
Re-enter KDC database master key to verify: <MASTER_KEY>
Priority: info
No dictionary file specified, continuing without one.

Please enter a default OpenVMS Kerberos 5 V1.0 administrator [ SYSTEM ]: <CR>
Enter password for principal "SYSTEM/admin@<realm>": <PASSWORD>
Re-enter password for principal "SYSTEM/admin@<realm>": <PASSWORD>
Principal "SYSTEM/admin@<realm>" created.
Priority: info
No dictionary file specified, continuing without one.

Create OpenVMS Kerberos 5 V1.0 principals [ Y ]: NO
Priority: info
No dictionary file specified, continuing without one.

Entry for principal kadmin/admin with kvno 3, encryption type 
DES-CBC-CRC added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
Priority: info
No dictionary file specified, continuing without one.

Entry for principal kadmin/changepw with kvno 3, encryption type 
DES-CBC-CRC added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

Press Return to continue ...


  Kerberos V1.0 for OpenVMS Configuration Menu

  Configuration options:

           1  -  Setup Client configuration
           2  -  Edit Client configuration

           3  -  Setup Server configuration
           4  -  Edit Server configuration

           5  -  Shutdown Servers
           6  -  Startup Servers

           E  -  Exit configuration procedure

  Enter Option: 6


Starting OpenVMS Kerberos 5 V1.0 Servers (Role: MASTER_KDC)...

Starting OpenVMS Kerberos 5 V1.0 server KRB$KRB5KDC ...
%RUN-S-PROC_ID, identification of created process is 0000023B
Starting OpenVMS Kerberos 5 V1.0 server KRB$KADMIND ...
%RUN-S-PROC_ID, identification of created process is 0000023D

Press Return to continue ...


  Kerberos V1.0 for OpenVMS Configuration Menu

  Configuration options:

           1  -  Setup Client configuration
           2  -  Edit Client configuration

           3  -  Setup Server configuration
           4  -  Edit Server configuration

           5  -  Shutdown Servers
           6  -  Startup Servers

           E  -  Exit configuration procedure

  Enter Option: e

$


Release Notes


- Kerberos command lines entered are changed to upper case 

When you enter commands at the Kerberos prompt, the commands you enter 
are changed to uppercase unless they are enclosed in quotation marks. 
For portions of the command that contain lowercase letters like 
principal names and passwords, be sure to use quotation marks. This 
does not apply to password prompting. 

In the following example, foobar was changed to uppercase because it 
was not enclosed in quotation marks. 

Kerberos> modify password foobar /password="passfoobar"
Password for "FOOBAR@REALM" changed.
Kerberos> modify password foobar
Enter password for principal "FOOBAR": foobarpass
Re-enter password for principal "FOOBAR":  foobarpass
change_password: password for "FOOBAR@REALM" changed.
Kerberos> exit
$ 


- Kerberos KDC Propagation Daemon on OpenVMS fails on slave 
KDC systems on OpenVMS 

The Kerberos KDC Propagation Daemon on OpenVMS unexpectedly
fails on slave KDC systems on OpenVMS, causing scheduled KDC
propagation to not update the slave's KDC database. 

Workaround: Set up the propagation daemon as a TCP/IP service. As 
such, the daemon will run only when an update request is made to the 
slave KDC system from the master. The daemon will execute and then 
exit. To set up the service, the following commands may be used either 
manually or saved and executed as a .COM file. This setup procedure 
need only be done once. 

$!
$! Sets up Kerberos5 propagation daemon as TCP/IP service
$!
$ tcpip set service krb5_prop -
        /file=krb$root:[bin]krb$kpropd.com -
        /port=754 -
        /user=SYSTEM -
        /process_name=KRB$KPROP -
        /log_options=(file=sys$manager:krb$kprop.log,all)
$!
$ tcpip enable service krb5_prop 
$!
$ tcpip show service/full krb5_prop 
$!
$ exit


- Problem obtaining a ticket granting ticket 

A problem exists where you cannot obtain a ticket granting ticket from 
a Tru64 Unix (Digital UNIX V4.0F (Rev. 1229)) system running an MIT 
Kerberos5 1.1.x KDC. If this problem occurs, you receive the following 
error: 

"KINIT: Cannot contact any KDC for requested realm while getting 
initial credentials"

The KDC appears to be active and running on the Tru64 system. 

Analysis: This is not a problem with the Kerberos Client on OpenVMS, 
and will appear on any system that attempts to access this particular 
KDC. If the KDC is installed on the Tru64 Unix system (as outlined in 
the Kerberos Installation Guide) so that it starts at system boot time 
by making entries in the file inittab, this problem results. At system 
startup, the KDC loops, appearing as though it is active and ready to 
service requests. The reason for this behavior is unknown. 

Workaround: The KDC must be started manually. First, if the KDC 
process is running and is looping, kill the process. Then issue the 
command /usr/local/sbin/krb5kdc from a terminal window or command line 
prompt to manually start the KDC. The KDC will then start properly and 
begin servicing requests. 


- UNIX to OpenVMS file naming differences 

The Kerberos documentation is written for a UNIX audience. When 
reading the Kerberos documentation, note the following differences 
between UNIX and OpenVMS: 

File specification format 

The following example shows the differences in the file specification 
format of a lock file. In this example, the UNIX file specification 
/usr/local/var/krb5kdc/principal.kadm5.lock is equivalent to 
KRB$ROOT:[KRB5KDC]PRINCIPAL_KADM5_LOCK.;1 on OpenVMS. 

Configuration file format 

The following examples show the differences in format of two 
configurarion files, krb5.conf and kdc.conf. 

The krb5.conf file on a UNIX system is as follows: 

[libdefaults]
    ticket_lifetime = 600
    default_realm = ATHENA.MIT.EDU
    
default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc

[realms]
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu:88
        kdc = kerberos-1.mit.edu:88
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu:749
        default_domain = mit.edu
    }

[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb
5lib.log

The krb5.conf file on an OpenVMS system is as follows: 

[libdefaults]
        default_realm = NODE32.DEC.COM
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc

[realms]
        NODE32.DEC.COM = {
                kdc = node32.zko.dec.com:88
                admin_server = node32.zko.dec.com:749
                default_domain = zko.dec.com
        }

[domain_realm]
        .zko.dec.com = NODE32.DEC.COM
        zko.dec.com = NODE32.DEC.COM

[logging]
         kdc = FILE=krb$root:[log]krb$krb5kdc.log
         admin_server = FILE=krb$root:[log]krb$kadmind.log
         default = FILE=krb$root:[log]krb5lib.log

The kdc.conf file on a UNIX system is as follows: 

[kdcdefaults]
    kdc_ports = 88,750

[realms]
    ATHENA.MIT.EDU = {
        database_name = /usr/local/var/krb5kdc/principal
        admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
        acl_file = /usr/local/var/krb5kdc/kadm5.acl
        dict_file = /usr/local/var/krb5kdc/kadm5.dict
 
       key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
        kadmind_port = 749
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des-cbc-crc
        supported_enctypes = des-cbc-crc:normal
    }

The krb5.conf file on an OpenVMS system is as follows: 

[kdcdefaults]
        kdc_ports = 750,88
        clockskew = 5000

[realms]
        NODE32.DEC.COM = {
          database_name = krb$root:[krb5kdc]principal
          ad
min_keytab = krb$root:[krb5kdc]kadm5.keytab
          acl_file = krb$root:[krb5kdc]kadm5.acl
          key_stash_file = krb$root:[krb5kdc]_k5_NODE32_DEC_COM
          kdc_ports = 750,88
          max_life = 10h 0m 0s
          max_renewable_life = 7d 0h 0m 0s
          master_key_type = des-cbc-crc
          supported_enctypes = des-cbc-crc:normal des:normal
                               des:v4 des:norealm des:onlyrealm 
des:afs3
        }

- end of file -
