Close Window
 

NEWS YOU CAN USE FROM VANDYKE SOFTWARE®

A Monthly Newsletter - January 2004

The new year brings a new authentication method for you to consider. Our feature article expands on the new Kerberos v5 support in the secure product releases that shipped during December – yes, the same ones many of you didn't have time to look at during the holidays. Now is the time to check them out, whether you are just curious or are pursuing the holy grail of single sign-on. This month's tip shows how you can take SecureCRT® with you using a USB mini-drive. They're not just toys any more – if you touch a lot of machines it might be time to get one.


-------------
Contents
-------------

1. Feature – Using Kerberos v5 with SecureCRT et. al.
2. Tip –- Running SecureCRT from a USB Mini-Drive
3. News – SC Magazine Survey on IT Concerns
4. New Releases
5. Current Releases


--------------------------------------------------------------------------------------------
1. Feature – Using Kerberos v5 with VanDyke Secure Shell Software
--------------------------------------------------------------------------------------------


Have you ever been curious about Kerberos? Or just wished that public-key authentication was easier to manage in Secure Shell? This article covers the building blocks of using Kerberos in
VanDyke Software applications.

Kerberos is a generalized authentication service invented at MIT in the 1980s and freely distributed by them, which has become an Internet standard described by IETF RFC 1510. VanDyke Software applications support the GSSAPI interface, allowing Kerberos to be an alternate authentication method to Secure Shell public key. GSSAPI is a generic API for performing client/server authentication where the application need not know the specific authentication mechanism being used. GSSAPI serves as an integral component of the VanDyke Kerberos solution.

Microsoft Windows® 2000 or later with Active Directory® provides the necessary Kerberos infrastructure, including key server, time synchronization, DNS, and credentials for authenticated domain members. The most recent VanDyke Software servers and clients support Kerberos v5 through GSSAPI: VShell™ 2.2 Server, SecureCRT 4.1, SecureFX® 2.2, and Entunnel™ 1.1.

SecureCRT or SecureFX users with Kerberos configured through GSSAPI authenticate in a way similar to Secure Shell public key without passphrase. The client software receives Kerberos authentication tokens or "tickets" from the Kerberos server (a ticket can basically be understood to be a key). Kerberos runs well in VPN and Internet-based environments.

Is there a cost to Kerberos? Yes, and it varies depending on what systems you run. On the server side, you have to run another piece of software, a Kerberos server with its key distribution center or KDC. If you have a UNIX server that you want to serve as the KDC, this means getting the kerb
libraries and some configuration.

The good news for organizations with Windows 2000 or later servers is that Kerberos is already available as part of your Active Directory installation. A Windows server may also serve as the KDC for UNIX systems. Also in the positive category is the benefit that under Kerberos there is much lower overhead in managing user access rights. Yes, that's a big win indeed. Imagine not having to place user public keys or train users in properly protecting those local keys –- woo-hoo!

But seriously, folks, if this brief overview piques your interest and you would like to learn more about Kerberos, have a look at the references below. And as always, VanDyke Software Support staff are glad to field your questions on setting up SecureCRT or other products. Happy Kerberizing.

  1. VanDyke Software Help topic "GSSAPI Properties Dialog" in SecureCRT 4.1 and other current client applications.
  2. "Kerberos: The Definitive Guide" by Jason Garman, O'Reilly & Associates 2003, ISBN 0-596-00403-6, $34.95 US.
  3. MSDN – http://www.msdn.microsoft.com/ search term "kerberos".
  4. MIT Kerberos page – http://web.mit.edu/kerberos/www/.


---------------------------------------------------------------------------------
2. Tip – Running SecureCRT from a USB Flash Memory Drive
---------------------------------------------------------------------------------

Here's a dream: you walk up to any PC, and in seconds SecureCRT is securing your remote session – without ever installing a local copy! Well, this dream is a reality, and all it takes is a tiny, inexpensive USB storage device.

For SecureCRT 4.1 and later releases, it is relatively straightforward to make a copy of the software that will start from a desktop shortcut and run off a Thumbdrive or other USB drive. One nice advantage of this media type for network admins is extra security when switching machines: When you remove the mini-USB drive from whatever computer you choose to work on, your keys, passcards, and identities go with you so they cannot be stolen.

What follows is a quick overview of how to put SecureCRT on a USB drive. For complete instructions, see the following web page on the VanDyke Software web site.

http://www.vandyke.com/support/tips/usbdrive.html

1. Copy the SecureCRT installation folder (C:\Program Files\SecureCRT or other) to the USB drive. The top-level directory might have the following contents:

    <DIR> SecureCRT
    <DIR> Known Hosts
          SecureCRT.bat

2. Copy your Config folder into the USB device SecureCRT folder. This is usually found under:

    C:\Documents and Settings\%USERNAME%\Application Data\VanDyke\SecureCRT\Config

3. In Notepad or other text editor create a file named SecureCRT.lic with your license information (found in the registration letter) and place it in the USB SecureCRT folder. The format of the SecureCRT.lic file is as follows:

    Name=<name on reg letter>
    Company=<company name on reg letter>
    Serial Number=03-xx-xxxxxx
    Key=nnnnnn nnnnnn nnnnnn nnnnnn nnnnnn nnnnnn nnnnnn nnnnnn
    Issue Date=nn-nn-nnnn

4. If you know that the USB device will always have the same drive letter, create a shortcut to the SecureCRT.exe using that path. If not, you have to create a smart batch file or VBScript that passes the location of the application and config file at startup. The web page explains this in greater detail.

Of course, running SecureCRT on other machines than your home/office PC must be done in accordance with the software license agreement located in the SecureCRT program folder on your
machine.

Now get roaming!


---------------------------------------------------------------
3. News – SC Magazine Survey on IT Concerns
---------------------------------------------------------------

A 2003 poll of SC Magazine readers showed what is on their minds, and what they anticipate for the year ahead.

At the top of the list for the past year was dealing with the crushing number of Windows security patches. Ways of coping with the patches ranged from using System Update Services (SUS) to moving key systems away from Windows. Close behind patches were securing remote access to applications and containing virus outbreaks. Not far behind them was the bugaboo of staff who couldn't or wouldn't follow security procedures. At a lower level but still significant was the influx of spam, and trying to find the funds to handle all of these IT issues.

Looking ahead, readers anticipate that wireless access and identity management would demand attention in 2004, while those same issues flagged in 2003 won't go away. Regulatory compliance
is a spectre that some have already experienced, while others expect it to intrude soon.

For more information on this survey, including key technology areas, see the January 2004 issue of SC Magazine.


----------------------
4. New Releases
----------------------

Maintenance updates of official releases were made in January of 2004 to VShell 2.2.4, SecureCRT 4.1.1, SecureFX 2.2.1, CRT™ 4.1.1, and AbsoluteFTP® 2.2.1.

The official release of Entunnel 1.1 was posted on January 22nd. This new version adds Kerberos support and integration as for SecureCRT 4.1.1 and SecureFX 2.2.1.

When used with VShell 2.2, SecureCRT, SecureFX, and Entunnel provide support for Kerberos v5 authentication.

You can download new releases at:

http://www.vandyke.com/download/latestreleases.html

For quick access to previous official releases, go to:

http://www.vandyke.com/download/prevreleases.html


---------------------------
5. Current Releases
---------------------------

The following lists the latest official product releases:

SecureCRT 4.1.1
SecureFX 2.2.1
Entunnel 1.1
CRT 4.1.1
AbsoluteFTP 2.2.1
VShell 2.2.4 Server for Windows
VShell 2.2.4 Server for UNIX
    Red Hat Linux 7.x
    Red Hat Linux 8.x
    Red Hat Linux 9.x
    Solaris 8
    FreeBSD 4.8
    HP-UX 11
    Mac OS X 10.2
    AIX 4.3

To download any of our current releases, go to:

http://www.vandyke.com/download/latestreleases.html

All VanDyke Software products may be downloaded and evaluated at no cost for 30 days. Licenses include one year of free upgrades and unlimited access to our expert technical support.


Pass it along! If you find this monthly newsletter helpful and informative, forward it to co-workers or friends, or tell them where to sign up.

     http://www.vandyke.com/support/newsletter.html


Subscription Information
----------------------------------

VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, or need to change your e-mail address, go to:

http://www.vandyke.com/support/newsletter.html


  VanDyke Software, Inc.
  4848 Tramway Ridge Drive, NE
  Suite 101
  Albuquerque, NM 87111 USA


---

VanDyke Software, AbsoluteFTP, CRT, Entunnel, SecureCRT, SecureFX, and VShell are trademarks or registered trademarks of VanDyke Software, Inc.

All other products and services mentioned are trademarks or registered trademarks of their respective companies.

Close Window