beautypg.com

Keytabs for unix authentication: hpss_unix_keytab – IBM RELEASE 7.3 User Manual

Page 38

background image

Keytabs are created for the user by the hpssuser utility when the krb5keytab or unixkeytab
authentication type is specified. Keytabs may also be created manually with the hpss_krb5_keytab or
hpss_unix_keytab utility, as described below.

3.3.2.3.1. Keytabs for Kerberos Authentication: hpss_krb5_keytab

The hpss_krb5_keytab utility may be used to generate a keytab with Kerberos authentication in the
form usable by the hpssadm program. See the hpss_krb5_keytab man page for details.

The Kerberos keytab is interpreted by the KDC of the Kerberos realm specified by the hpssadm utility
(see the -k and -u options on the hpssadm man page). This must be the same Kerberos realm as that
used by the System Manager. This means the hpss_krb5_keytab utility must be executed on a host in
the same realm as the System Manager.

This example for a user named “joe” on host "pegasus" creates a Kerberos keytab file named
“keytab.joe.pegasus”:

% /opt/hpss/bin/hpss_krb5_keytab
HPSS_ROOT is not set; using /opt/hpss
KRB5_INSTALL_PATH is not set; using /krb5
password:
Your keytab is stored at /tmp/keytab.joe.pegasus

Note that under AIX, hpss_krb5_keytab will not write to an NFS-mounted filesystem. That's why the
utility insists on writing the keytab file in /tmp. Once the keytab is generated, it can be copied and used
elsewhere, but care should be taken to keep it secure.

3.3.2.3.2. Keytabs for UNIX Authentication: hpss_unix_keytab

The hpss_unix_keytab utility may be used to generate a keytab with UNIX authentication in the form
usable by the hpssadm program. See the hpss_unix_keytab man page for details.

The UNIX keytab is interpreted on the host on which the System Manager runs, not the host on which the
hpssadm client utility runs. The encrypted password in the keytab must match the encrypted password
in the password file on the System Manager host. Therefore, the hpss_unix_keytab utility must be
executed on the host on which the System Manager runs.

The hpss_unix_keytab utility must be able to read the user's encrypted password from the password file.
If system password files are being used, this means the utility must be executed as root.

This example for a user named “joe” creates a UNIX keytab file named “joe.keytab.unix”:

% /opt/hpss/bin/hpss_unix_keytab -f joe.keytab.unix add joe

This command copies the encrypted password from the password file into the keytab.

Do not use the -r option of the hpss_unix_keytab utility; this places a random password into the keytab
file. Do not use the -p option to specify the password; this encrypts the password specified on the
command line using a different salt than what was used in the password file, so that the result will not
match.

HPSS Management Guide

November 2009

Release 7.3 (Revision 1.0)

38

See also other documents in the category IBM Hardware: