Next: , Previous: Authentication modules, Up: Authentication modules

5.1.1 Digital SIA

How to install the SIA module depends on which OS version you're running. Tru64 5.0 has a new command, siacfg, which makes this process quite simple. If you have this program, you should just be able to run:

     siacfg -a KRB5 /usr/athena/lib/

On older versions, or if you want to do it by hand, you have to do the following (not tested by us on Tru64 5.0):

Users with local passwords (like `root') should be able to login safely.

When using Digital's xdm the `KRB5CCNAME' environment variable isn't passed along as it should (since xdm zaps the environment). Instead you have to set `KRB5CCNAME' to the correct value in /usr/lib/X11/xdm/Xsession. Add a line similar to

     KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME

If you use CDE, dtlogin allows you to specify which additional environment variables it should export. To add `KRB5CCNAME' to this list, edit /usr/dt/config/Xconfig, and look for the definition of `exportList'. You want to add something like:

     Dtlogin.exportList:     KRB5CCNAME
Notes to users with Enhanced security

Digital's `ENHANCED' (C2) security, and Kerberos solve two different problems. C2 deals with local security, adds better control of who can do what, auditing, and similar things. Kerberos deals with network security.

To make C2 security work with Kerberos you will have to do the following.

At present `su' does not accept the vouching flag, so it will not work as expected.

Also, kerberised ftp will not work with C2 passwords. You can solve this by using both Digital's ftpd and our on different ports.

Remember, if you do these changes you will get a system that most certainly does not fulfil the requirements of a C2 system. If C2 is what you want, for instance if someone else is forcing you to use it, you're out of luck. If you use enhanced security because you want a system that is more secure than it would otherwise be, you probably got an even more secure system. Passwords will not be sent in the clear, for instance.