Patch Name: PHNE_6174 Patch Description: s700_800 10.10 Secure Internet Services patch for Telnet Creation Date: 96/02/20 Post Date: 96/03/13 Hardware Platforms - OS Releases: s700: 10.10 s800: 10.10 Products: N/A Filesets: InternetSrvcs.INETSVCS-RUN InternetSrvcs.INET-ENG-A-MAN Automatic Reboot?: No Status: Special Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHNE_6174 Symptoms: PHNE_6174: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_6174: 1. The Telnet internet service (comprised of telnet(1) and telnetd(1M)) currently allows a user to access a remote system by typing a password. The password is transmitted to that remote system over a network. However, this represents a potential risk from intruders who may be listening over that network. An enhancement request exists asking for Telnet to prevent the password from being sent in a readable form. Defect Description: PHNE_6174: The following defect descriptions are for PHNE_6174: 1. The Telnet internet service does not provide network authentication to ensure that a local and remote host are mutually identified to each other in a secure and trusted manner. Network authentication using the Kerberos V5 mechanism should be provided as an enhancement for those customers who want to run Telnet in a Kerberos environment. SR: 4701312017 Patch Files: /usr/bin/telnet /usr/lbin/telnetd /usr/share/man/man1.Z/telnet.1 /usr/share/man/man1m.Z/telnetd.1m /usr/share/man/man5.Z/sis.5 /usr/share/doc/SIS.guide.ps /usr/share/doc/SIS.guide.txt what(1) Output: /usr/bin/telnet: Secure Internet Svcs - Revision 1.1.112.2 PHNE_6174 Sat Feb 10 22:58:48 GMT 1996 Copyright (c) 1988 Regents of the University of Cali fornia. main.c 1.10 (Berkeley) 11/18/88 commands.c 1.15 (Berkeley) 2/6/89 network.c 1.13 (Berkeley) 6/29/88 ring.c 1.10 (Berkeley) 6/29/88 sys_bsd.c 1.16 (Berkeley) 11/29/88 telnet.c 5.38 (Berkeley) 2/6/89 terminal.c 1.13 (Berkeley) 6/29/88 tn3270.c 1.16 (Berkeley) 11/30/88 utilities.c 1.11 (Berkeley) 2/6/89 authenc.c 8.1 (Berkeley) 6/6/93 auth.c 8.3 (Berkeley) 5/30/95 misc.c 8.1 (Berkeley) 6/4/93 encrypt.c 8.2 (Berkeley) 5/30/95 kerberos5.c 8.1 (Berkeley) 6/4/93 genget.c 8.2 (Berkeley) 5/30/95 forward.c 8.2 (Berkeley) 5/30/95 /usr/lbin/telnetd: Copyright (c) 1983, 1986 Regents of the University o f California. Secure Internet Svcs - $Revision: 1.24.112.7 $ $Date : 96/02/10 14:51:26 $ PHNE_6174 telnetd.c 5.31 (Berkeley) 2/23/89 authenc.c 8.1 (Berkeley) 6/4/93 auth.c 8.3 (Berkeley) 5/30/95 misc.c 8.1 (Berkeley) 6/4/93 encrypt.c 8.2 (Berkeley) 5/30/95 kerberos5.c 8.1 (Berkeley) 6/4/93 genget.c 8.2 (Berkeley) 5/30/95 forward.c 8.2 (Berkeley) 5/30/95 /usr/share/man/man1.Z/telnet.1: (none) /usr/share/man/man1m.Z/telnetd.1m: (none) /usr/share/man/man5.Z/sis.5: (none) /usr/share/doc/SIS.guide.ps: (none) /usr/share/doc/SIS.guide.txt: (none) cksum(1) Output: 110177961 487424 /usr/bin/telnet 2342740219 471040 /usr/lbin/telnetd 874799100 8254 /usr/share/man/man1.Z/telnet.1 3225310825 4510 /usr/share/man/man1m.Z/telnetd.1m 356183667 5873 /usr/share/man/man5.Z/sis.5 79560622 256736 /usr/share/doc/SIS.guide.ps 3036875464 86215 /usr/share/doc/SIS.guide.txt Patch Conflicts: PHNE_6068 Patch Dependencies: None Hardware Dependencies: None Other Dependencies: The following fileset must already be installed: * DCE-Core.DCE-CORE-RUN Supersedes: None Equivalent Patches: None Patch Package Size: 1350 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_6174 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_6174.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_6174.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. The cluster clients must be shut down as described in step 5b. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_6174. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_6174.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_6174.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Note the following: * This patch should only be distributed to customers who wish to use the Kerberos V5 authentication mechanism to prevent passwords from being sent in a readable form. This patch includes all changes from the latest telnet patch (PHNE_6068), plus it includes Kerberos authentication enhancements. This patch does not make the PHNE_6068 patch obsolete, because not all customers will want this enhancement. * This patch includes an administration and usage guide "HP Secure Internet Services with Kerberos V5 Authentication and Authorization". The postscript (SIS.guide.ps) and ascii (SIS.guide.txt) versions of the document are found in /usr/share/doc. * A new man page, sis(5), is included in the patch. * This patch updates the /etc/services file to have the Kerberos specific port entries, if those entries do not exist. * Patch PHSS_6617 is required for support purposes for customers using a Kerberos environment. Patch PHSS_6617 contains a validation tool, a man page for the tool and the document "Using HP DCE 9000 Security with Kerberos Applications".