KerbNet includes software and documentation developed at the Massachusetts Institute of Technology, which includes this copyright information:
Copyright © 1995, 1997 by the Massachusetts Institute of Technology.
Export of software employing encryption from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
KerbNet includes software and documentation developed by OpenVision Technologies, Inc., which includes this copyright notice:
The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/server, lib/kadm, and portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.OpenVision retains all rights, title, and interest in the donated Source Code. With respect to OpenVision's copyrights in the donated Source Code, OpenVision also retains rights to derivative works of the Source Code whether created by OpenVision or a third party. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.
KerbNet includes software and documentation developed at the University of California at Berkeley, which includes this copyright notice:
Copyright © 1983 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
This product includes software developed by the University of California, Berkeley and its contributors.
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions.
Congratulations on your purchase of KerbNet. Cygnus Solutions believes KerbNet provides the best network security available. Please let us know if we can be of assistance in getting your installation of KerbNet set up and running.
Since Kerberos negotiates authenticated, and optionally encrypted, communications between two points anywhere on the internet, it provides a layer of security that is not dependent on which side of a firewall either client is on. Since studies have shown that half of the computer security breaches in industry happen from inside firewalls, KerbNet from Cygnus Solutions will play a vital role in the security of your network.
This document is one piece of the document set for KerbNet. The documents, and their intended audiences, are:
Specific Guides for auxiliary KerbNet features that are not supported for all installations are also provided as necessary.
In this manual, we will represent your prompt as "shell%
".
So an instruction to type the "ls" command would be represented as
follows:
shell% ls
You should have install the KerbNet
programs in whichever directory makes the most sense for your system.
We will use /usr/cygnus/kerbnet
throughout this guide to refer to the
top-level directory KerbNet directory. We will therefore use
/usr/cygnus/kerbnet/bin
to denote the location of the KerbNet user
programs.
This chapter provides a simplified description of a general user's
interaction with the Kerberos system. This interaction happens
transparently--users don't need to know and probably don't care about
what's going on--but Kerberos administrators might find a schematic
description of the process useful. This description glosses over a lot
of details; for more information, see Kerberos: An Authentication
Service for Open Network Systems, a paper presented at Winter USENIX
1988, in Dallas, Texas. This paper can be retreived by FTP from
athena-dist.mit.edu
, in the location:
/pub/ATHENA/kerberos/doc/USENIX.ps
.
In an environment that provides network services, you use client programs to request services from server programs that are somewhere on the network. Suppose you have logged in to a workstation and you want to `rlogin' to a typical UNIX host. You use the local `rlogin' client program to contact the remote machine's `rlogind' daemon.
Under Kerberos, the `klogind' daemon allows you to login to a remote machine if you can provide `klogind' a Kerberos ticket which proves your identity. In addition to the ticket, you must also posess the corresponding ticket session key. The combination of a ticket and the ticket's session key is known as a credential.
Typically, a client program automatically obtains credentials identifying the person using the client program. The credentials are obtained from a Kerberos server that resides somewhere on the network. A Kerberos server maintains a database of user, server, and password information.
Kerberos will give you credentials only if you have an entry in the Kerberos server's Kerberos database. Your database entry includes your Kerberos principal (an identifying string, which is often just your username), and your Kerberos key, which is generated from your password. Every Kerberos user must have an entry in this database.
Each administrative domain has its own Kerberos database, which contains information about the users and services for that particular site or domain. This administrative domain is the Kerberos realm.
Each Kerberos realm will have at least one Kerberos server, where the master Kerberos database for that site or administrative domain is stored. A Kerberos realm may also have one or more slave servers, which have read-only copies of the Kerberos database that are periodically propagated from the master server. For more details on how this is done, see the "Set Up the Slave KDCs for Database Propagation" and "Propagate the Database to Each Slave KDC" sections of the KerbNet Installation Guide.
The `kinit' command prompts for your password. If you enter it successfully, you will obtain a ticket-granting ticket and a ticket session key that gives you the right to use the ticket. This combination of the ticket and its associated key is known as your credentials. As illustrated below, client programs use your ticket-granting ticket credentials in order to obtain client-specific credentials as needed.
Your credentials are stored in a credentials cache, which is often
just a file in /tmp
. The credentials cache is also called the
ticket file, especially in Kerberos V4 documentation. Note,
however, that a credentials cache does not have to be stored in a file.
The Kerberos database also contains entries for all network services that require Kerberos authentication. Suppose that your site has a machine, `laughter.bleep.com', that requires Kerberos authentication from anyone who wants to `rlogin' to it. The host's Kerberos realm is `BLEEP.COM'.
This service must be registered in the Kerberos database, using the proper service name, which in this case is the principal:
host/laughter.bleep.com@BLEEP.COM
The `/' character separates the Kerberos primary (in this case, `host') from the instance (in this case, `laughter.bleep.com'); the `@' character separates the realm name (in this case, `BLEEP.COM') from the rest of the principal. The primary, `host', denotes the name or type of the service that is being offered: generic host-level access to the machine. The instance, `laughter.bleep.com', names the specific machine that is offering this service. There will generally be many different machines, each offering some particular type of service, and the instance serves to give each one of these servers a different Kerberos principal.
For each service, there must also be a service key known only by Kerberos and the service. On the Kerberos server, the service key is stored in the Kerberos database.
On the server host, these service keys are stored in key tables,
which are files known as keytabs.(1) For example, the service keys used by
secure services (such as ones that run as root on UNIX systems) are
usually stored in the keytab file /etc/v5srvtab
. N.B.: This
service key is the equivalent of the service's password, and must be
kept secure. Data which is meant to be read only by the service is
encrypted using this key.
Suppose that you walk up to a host intending to login to it, and then `rlogin' to the machine `laughter'. Here's what happens:
host% rlogin laughter
klogind
will let you
login.
Following are definitions of some of the Kerberos terminology.
The typical format of a typical Kerberos principal is primary/instance@REALM.
telnet
and
rsh
), "ftp" (FTP), "krbtgt" (authentication;
cf. ticket-granting ticket), and "pop" (email).
Your Kerberos database contains all of your realm's Kerberos principals, their passwords, and other administrative information about each principal. As System Administrator, you have the power to change information in the database. Tasks that you may want to perform include:
* adding and deleting principals to the Kerberos database
* modfiying the restrictions governing passwords
* granting administrative privileges to specific principals
* changing the default lifetime of tickets
* manipulating the database as a whole (e.g. backing it up).
Most of these tasks are done by interacting with one of the administrative programs, particularly when you are dealing with a few specific principles. These tasks are described in the following section. However, some of the global defaults for the database, such as the default lifetime of tickets, are controled in the kdc.conf file as described in see section kdc.conf.
You can manipulate information in the Kerberos database using either the Admin GUI (window-style user interface) or by typing commands at the command line (DOS or UNIX prompt).
This chapter describes the general tasks you can perform; the next two chapters give specific instructions for performing these tasks using each of the two interface options. Chapter 6 explains how to manipulate the database as a whole.
Entities that can recieve Kerberos tickets are represented by Kerberos principals (see section Definitions). Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal.
You can add a principal to the Kerberos database, using either the Admin GUI or the command line. When you add a principal, you must give it a temporary password; if the principal corresponds to a user, you should tell the user to change the password right away. You can set an option that forces the user to change the password the first time he or she logs in using the principal.
If you need cross-realm authentication, you must add principals for the other realm's TGT to each realm. For example, if you need to do cross-realm authentication between the realms BLEEP.COM and FUBAR.ORG, you would need to add the principals `krbtgt/FUBAR.ORG@BLEEP.COM' and `krbtgt/BLEEP.COM@FUBAR.ORG' to both databases. You need to be sure the passwords and the key version numbers (kvno) are the same in both databases. This may require explicitly setting the kvno with the `-kvno' option (see section Adding or Modifying Principals).
You can also modify the administrative information of principals already in the database.
You can delete principals from the Kerberos database, using either the Admin GUI or the command line.
When you delete a principal from the Kerberos database, be sure to remove that principal from all files that grant access privileges (see section Administrative Privileges). Otherwise, if the principal is later reassigned, it will still have the privileges granted in those files, whether the new owner of the principal ought to have them or not.
For example, if a user with the username `jennifer' has full administrative privileges for the BLEEP.COM domain, the `kadm5.acl' file would have the entry:
jennifer@BLEEP.COM admcil
If Jennifer leaves and a new employee with the first name Jennifer is given the username `jennifer', the new employee has full administrative privileges for BLEEP.COM, because the principal `jennifer' is still listed in `kadm5.acl' with those privileges.
Rather than deleting a principal that is no longer is use, it may be easier to simply "deactivate" the principal by assigning it a random password. Then no new user can be assigned the principal, and there is no danger of accidentally granting a new user inappropriate access privileges. You can also deactivate a principal by taking away its ability to receive tickets (see section Deactivating a Principal,or section Attributes).
Principals have associated attributes, which are rules governing what kind of tickets a principal is allowed to obtain and under what circumstances it can obtain tickets. Each attribute is controlled by an on/off flag in the database entry for a principal; when the attribute appears in the entry, the flag is "on". By default, principals have no attribute flags turned on. You can set attributes for a principal using either the Admin GUI or the command line.
Principals may have the following attribute flags associated with them:
A policy is a set of rules governing passwords. Policies dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of previous passwords kept in the database for a given principal.
Policies are stored in a database, `principal.kadm', separate from the Kerberos database. You can create new policies, modify existing policies, and delete policies using either the Admin GUI or the command line.
You can assign a policy to a principal by modifying the administrative information about that principal. You can assign each policy to as many principals as you want, but a single principal cannot have more than one policy. By default, principals have no policy.
Make sure that you cancel a policy from all principals before deleting the policy from the database. KerbNet will not delete a policy if it currently applies to any principal.
When you change a policy, the changes affect the principals that have that policy the next time the system needs to check the relevant attributes. So, for example, if you change a policy so that the maximum password lifetime is less than the amount of time that has passed since a principle with that policy changed its password, the will be forced to change their password the next time that principal tries to obtain a TGT. On the other hand, if a principal's password has only one class of characters in it, and you change the policy that governs that principal to require two character classes, the change will not affect the user until the user changes the password, at which point the system will enforce the new restrictions.
Administrative privileges for the Kerberos database are stored in the
file kadm5.acl
. Each line of the file contains a principal, the
privileges that principal has, and optionally the target to which those
permissions apply. The privileges are represented by single letters;
UPPER-CASE letters represent negative permissions. The permissions are:
Principals in this file can include the * wildcard. Here is an
example of a kadm5.acl
file. Note that order is important;
permissions are determined by the first matching entry.
*/admin@BLEEP.COM * jschmoe/null@BLEEP.COM ADMCIL jschmoe/*@BLEEP.COM il jennifer/root@BLEEP.COM cil */root@BLEEP.COM */*@BLEEP.COM i
In the above file, any principal with an admin
instance
has all administrative privileges. The user jschmoe
has all permissions with his admin
instance,
jschmoe/admin@BLEEP.COM
(matches the first
line). He has no permissions at all with his null
instance,
jschmoe/null@BLEEP.COM
(matches the second
line). He has inquire and list permissions with any other
instance (matches the third line). When jennifer
is
using her root
instance, jennifer/root@BLEEP.COM
, she has
change password, inquire, and list privileges for any other
principal that has the instance root
. Finally, any principal in
the realm BLEEP.COM
(except for
jschmoe/null@BLEEP.COM
, as mentioned above)
has inquire privileges.
To change the privileges associated with a particular principal, modify
the kadm5.acl
file directly.
Both the command line and the GUI often require input in the form of dates. A date can appear in a wide variety of formats, such as:
1 month 2 hours 400000 seconds next year this Monday next Monday yesterday tomorrow now second Monday a fortnight 3/31/98 10:00:07 PST January 23, 1997 10:05pm 22:00 GMT
All of these are case-insensitive. The following is a list of all of the allowable keywords.
kadmin
recognizes abbreviations for most of the world's time
zones. A complete listing appears in section kadmin Time Zones.
The Admin GUI (Graphical User Interface) is an interface that lets you manipulate information in the Kerberos database using windows and menus. The GUI is available on both UNIX and NT systems.
This chapter describes how to administer the Kerberos database using the Admin GUI.
To start the Admin GUI:
tkadmin
at the command line (UNIX or
DOS prompt).
The `tkadmin' command takes the following options:
If you do not specify a realm, `tkadmin' will use the local realm by default.
If you do not specify a principal, `tkadmin' will use `<userid>/admin', where <userid> is the userid you are currently logged in as.
Because this option requires you to type your password openly, it is insecure; someone could look at your screen or use your machine later to retrieve your password. You should avoid using this option.
tkadmin
If you do not use the password option, the Password entry dialog opens and prompts you for your password.
The Principal list window opens.
The Principal List window displays all the principals in the Kerberos database.
By default, the principal list shows all the principals in the database. However, you can view a subset of the principals by selecting an appropriate filter. A filter is a string of characters that all the principals you want to view have in common; the Principal List window displays all the principals in the database that contain that string.
The wildcard `*' stands for any number of characters. Thus, the filter `*/admin' causes the principal list to display any principal with the instance `admin'; the filter `host/*' matches any principal with the primary `host'. The filter `host*' would also retrieve all principals with the primary `host', as well as principals such as `host@BLEEP.COM' `hostess/admin@BLEEP.COM'. The filter `host' would retrieve only the principal `host@BLEEP.COM' (the exact match to the filter string).
The `*' filter lists all the principals in the database.
To change the current filter:
The Principal List now displays only those principals that match the specified filter string.
The Admin GUI lets you view and edit the contents of the Kerberos database and the policy database. However, although the information it displays changes to reflect changes you make, changes made by other people while you have the GUI open do not appear unless you tell the GUI to update its version of the databases.
To update the information in the GUI:
The GUI updates its database displays.
The commands on the Principals menu allow you to manipulate entries in the Kerberos database.
To add a new principal to the database:
The Principal Information dialog appears.
If you do not specify a realm for the principal, it will have the realm you specified when you ran the `tkadmin' command, or the default realm for the domain you are in (if you did not specify a realm when you ran `tkadmin').
You can edit these values as much as you like. Clicking the Revert button beside a text box causes the current saved value to appear in that text box, replacing whatever value you have typed. Clicking the Revert All button will revert the text in all text boxes to the current saved values.
Although you may enter dates and durations in various different formats (see section Date Format), they will appear in standard formats in the text boxes (for example, "next monday" might appear as "Mon Mar 10 00:00:00 EST 1997.").
If you have entered an inappropriate value in one of the textboxes (for example, a date with an invalid format), that text appears red when you move the cursor out of that text box or try to commit your changes. After you have entered an appropriate value, the text becomes black again the next time you move the cursor to another text box, commit your changes, or use a Revert button.
The Password Entry dialog opens.
You cannot create a new principal without assigning it a name and a password. If you click Commit Add without first setting the password, the Password Entry dialog opens, prompting you to enter a password. When you click OK in the Password Entry dialog, the Principal Information closes as well, and the new principal is entered in the database.
To delete one or more principals from the database:
A dialog box will appear, asking you to confirm the deletion. If you click Yes, the principal is deleted from the database.
To display further information about a principal, select Edit from the Principal menu, or double-click on the principal in the Principal List. The Principal Information dialog opens.
The Principal Information dialog displays administrative information about the selected principal. You can look at a different principal by double-clicking on the new principal in the Principal List window; information on that principal will appear in the open Principal Information window.
You can modify the information in text boxes whose titles have blue backgrounds by typing new values into the appropriate text boxes. You can also modify the attribute flags on the principal by selecting and deselecting the checkboxes at the bottom of the Principal Information dialog. See section Adding Principals, for an explanation of these fields.
Clicking the Revert button beside a text box causes the current saved value to appear in that text box, replacing whatever value you have typed. Clicking the Revert All button will revert the text in all text boxes to the current saved values.
Click the Commit Changes button to add the new information to the database, or click the Cancel button to close the Principal Information dialog without changing the principal's information.
The information in the fields whose titles have black backgrounds is historical information about the principal; you cannot modify these values. Note that the Principal field is unmodifiable. See section Renaming a Principal, for information about renaming a principal.
* Last Password Change displays the time when the principal's password was last changed.
* Last Modification displays the time when the principal's administrative information was last modified.
* Last Modification By displays the principal responsible for the last modification of this principal's administrative information.
The following fields relate to preauthentication features that have not been fully implemented yet.
* Last Successful Auth
* Last Failed Auth
* Failed Password Attempts
* Key Version Number The Key Version Number keeps track of how many times the principal's key has been changed. See section Keys and Key Version Numbers, for more information about Key Version Numbers.
To rename a principal:
The Rename dialog opens.
The Password Entry dialog will open, as if you had created a new principal.
You can copy a principal, creating a second principal with all attributes identical to those of the first, except for the principal name.
To copy a principal:
The Principal Information dialog opens. The New Name text box is blank; all the other text boxes display the copied attribute values.
To change a principal's password:
The Password Entry dialog appears.
A dialog appears, telling you that the password has been changed or warning you if the password could not be changed (e.g. the password you chose was already in the principal's password history).
The Deactivate command sets the `Disallow All Tickets' flag on a principal, thereby making it impossible for the principal to obtain tickets. Note that if you later reactivate the principal, it will still have any permissions it had before, since it has not been removed from any permissions lists (see section Adding and Modifying Principals).
To deactivate a principal:
A dialog appears, confirming the deactivation.
The principals are deactivated. Note that they still appear in the principals list, and you can still view and change their information.
To reactivate a principal:
A dialog appears, confirming the reactivation.
The principals are reactivated.
Selecting Show List from the Policy menu opens the Policy List dialog. The Policy List lists all the policies in the database.
Selecting Close from the File menu in the Policy List dialog closes the Policy List dialog.
To create a new password policy:
The Policy Information window opens.
Clicking the Revert button beside a text box causes the current saved value to appear in that text box, replacing whatever value you have typed. Clicking the Revert All button will revert the text in all text boxes to the current saved values.
To delete an existing policy:
You must remove the policy from all principals before attempting to delete it. If a policy is in use, an attempt to delete it will fail. The Principals Using Policy field in the Policy Information window tells you how many principals currently have the policy.
To modify an existing policy:
The Policy Information window appears.
You can copy a policy, creating a second policy with all attributes identical to those of the first, except for the policy name.
To copy a policy:
The Policy Information dialog opens. The `New Name' text box is blank; all the other text boxes display the copied attribute values.
This chapter describes how to manipulate information in the Kerberos
database using the UNIX or Windows NT command line. The commands are the
same for both operating systems. The one difference is that when
specifying pathnames for kadmin
or kadmin.local
on Windows NT systems the path must be proceeded by `WRFILE:' for
writable files such as keytabs and `FILE:' for read only files.
The kadmin
program allows you to make changes to the entries in
the database. The users can use the kpasswd
program to change
their own passwords. The kdb5_util
program allows you to
manipulate the Kerberos database as a whole (see section Manipulating the Kerberos Database).
The kadmin
program has its own command-line interface, to which
you type the database administrating commands. Kadmin
provides
for the maintenance of Kerberos principals, KADM5 policies, and service
key tables (keytabs). It exists as both a Kerberos client,
kadmin
, using Kerberos authentication and an RPC, to operate
securely from anywhere on the network, and as a local client,
kadmin.local
, intended to run directly on the KDC without
Kerberos authentication. Other than the fact that the remote client
uses Kerberos to authenticate the person using it, the functionalities
of the two versions are identical. The local version is necessary to
enable you to set up enough of the database to be able to use the remote
version. Kadmin replaces the now obsolete kdb5_edit
(except for
database dump and load, which are provided by kdb5_util
).
The remote version of kadmin
authenticates to the KADM5 server
using the service principal kadmin/admin
. If the credentials
cache contains a ticket for the kadmin/admin
principal, and the
`-c credentials_cache' option is specified, that ticket is used to
authenticate to KADM5. Assuming you don't already have a
kadmin/admin
ticket, you will need to use the `-p' or
`-k' option to specify the client Kerberos principal name that will
be used to authenticate.
You can invoke kadmin
with any of the following options:
kadmin
will append admin
to
either the primary principal name, the environment variable USER, or to
the username obtained from getpwuid
, in order of preference.
kadmin/admin
service, which can be acquired with the kinit
program. If this
option is not specified, kadmin
requests a new service ticket
from the KDC, and stores it in its own temporary ccache.
kadmin
. This is useful for writing
scripts that pass specific queries to kadmin
.
To retrieve a listing of the attributes and/or policies associated with
a principal, use the kadmin
get_principal
command, which
requires the "inquire" administrative privilege. The syntax is:
get_principal principal
The get_principal
command has the alias getprinc
.
For example, suppose you wanted to view the attributes of the principals
jennifer/root@BLEEP.COM
and
systest@BLEEP.COM
. You would type:
shell% kadmin kadmin: getprinc jennifer/root Principal: jennifer/root@BLEEP.COM Key version: 3 Maximum life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Master key version: 1 Expires: Mon Jan 18 22:14:07 EDT 2038 Password expires: Mon Sep 19 14:40:00 EDT 1996 Password last changed: Mon Jan 31 02:06:40 EDT 1996 Last modified: by jschmoe/admin@BLEEP.COM on Wed Jul 13 18:27:08 EDT 1996 Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, REQUIRES_HW_AUTH Salt type: DEFAULT kadmin:
The get_principal
command has a -terse
option, which lists
the fields as a quoted, tab-separated string. For example:
kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 jennifer/admin@BLEEP.COM 786100034 0 0 kadmin:
To generate a listing of principals, use the kadmin
list_principals
command, which requires the "list" privilege.
The syntax is:
list_principals [expression]
where expression is a shell-style glob expression that can
contain the characters `*', `?', `[', and `]'. All
policy names matching the expression are displayed. The
list_principals
command has the alias listprincs
. For
example:
kadmin: listprincs test* test3@bleep.com test2@bleep.com test1@bleep.com testuser@bleep.com kadmin:
If no expression is provided, all principals are printed.
To add a principal to the database, use the kadmin add_principal
command, which requires the "add" administrative privilege. The
syntax is:
kadmin: add_principal [options] principal
To modify attributes of a principal, use the kadmin
modify_principal
command, which requires the "modify"
administrative privilege. The syntax is:
kadmin: modify_principal [options] principal
add_principal
has the aliases addprinc
and
ank
(2). modify_principal
has the alias modprinc
.
The add_principal
and modify_principal
commands take the
following switches:
modify_principal
only).
add_principal
only). Cygnus Solutions recommends using this option for host keys.
add_principal
only). Cygnus Solutions does
not recommend using this option.
If you want to just use the default values, all you need to do is:
kadmin: addprinc jennifer Enter password for principal jennifer@BLEEP.COM: <= Type the password. Re-enter password for principal jennifer@BLEEP.COM: <= Type it again. Principal "jennifer@BLEEP.COM" created. kadmin:
If, on the other hand, you want to set up an account that expires on January 1, 2000, that uses a policy called "stduser", with a temporary password (which you want the user to change immediately), you would type the following. (Note: each line beginning with => is a continuation of the previous line.)
kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser => +needchange Enter password for principal david@BLEEP.COM: <= Type the password. Re-enter password for principal david@BLEEP.COM: <= Type it again. Principal "david@BLEEP.COM" created. kadmin:
To delete a principal, use the kadmin delete_principal
command,
which requires the "delete" administrative privilege. The syntax is:
delete_principal [-force] principal
delete_principal
has the alias delprinc
. The
-force
option causes delete_principal
not to ask if you're
sure. For example:
kadmin: delprinc jennifer Are you sure you want to delete the principal "jennifer@BLEEP.COM"? (yes/no): yes Principal "jennifer@BLEEP.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin:
To rename a principal, use the kadmin rename_principal
command,
which requires both the "add" and "delete" administrative
privileges. The syntax is:
rename_principal [-force] old_principal new_principal
The rename_principal
command has the alias renprinc
.
For example:
kadmin: renprinc test test2 Are you sure you want to rename the principal "test@BLEEP.COM" to "test2@BLEEP.COM"? (yes/no): yes Principal "test@BLEEP.COM" renamed to "test2@BLEEP.COM". Make sure that you have removed "test@BLEEP.COM" from all ACLs before reusing. kadmin:
To change a principal's password use the kadmin change_password
command, which requires the "modify" administrative privilege (unless
the principal is changing his/her own password). The syntax is:
change_password [options] principal
The change_password
option has the alias cpw
.
change_password
takes the following options:
add_principal
command (see section Adding or Modifying Principals).
For example:
kadmin: cpw david Enter password for principal david@BLEEP.COM: <= Type the new password. Re-enter password for principal david@BLEEP.COM: <= Type it again. Password for david@BLEEP.COM changed. kadmin:
Note that change_password
will not let you change the password to
one that is in the principal's password history.
To retrieve a policy, use the kadmin get_policy
command, which
requires the "inquire" administrative privilege. The syntax is:
get_policy [-terse] policy
The get_policy
command has the alias getpol
. For example:
kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin:
The reference count is the number of principals using that policy.
The get_policy
command has a -terse
option, which lists
each field as a quoted, tab-separated string. For example:
kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin:
You can retrieve the list of policies with the kadmin
list_policies
command, which requires the "list" privilege. The
syntax is:
list_policies [expression]
where expression is a shell-style glob expression that can
contain the characters *, ?, [, and ]. All policy names matching the
expression are displayed. The list_policies
command has the alias
listpols
. For example:
kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin:
To add a new policy, use the kadmin add_policy
command, which
requires the "add" administrative privilege. The syntax is:
add_policy [options] policy_name
To modify attributes of a principal, use the kadmin modify_policy
command, which requires the "modify" administrative privilege. The
syntax is:
modify_policy [options] policy_name
add_policy
has the alias addpol
.
modify_poilcy
has the alias modpol
.
The add_policy
and modify_policy
commands take the
following switches:
The character classes are: - lower-case letters, - upper-case letters, - digits, - punctuation, and - all other characters (e.g., control characters).
See section Date Format for details on the proper time format.
Here is an example of adding a policy:
kadmin: addpol -minlength 8 -minclasses 3 -maxlife "30 days" paranoid kadmin: getpol paranoid Policy: paranoid Maximum password life: 30 days 00:00:00 Minimum password life: 0 days 00:00:00 Minimum password length: 8 Minimum number of password character classes: 3 Number of old keys kept: 1 Reference count: 0
To delete a policy, use the kadmin
delete_policy
command,
which requires the "delete" administrative privilege. The syntax is:
delete_policy policy_name
The delete_policy
command has the alias delpol
.
It prompts for confirmation before deletion.
For example:
kadmin: delete_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes Policy "guests" deleted. kadmin:
The following sections describe commands to manipulate the Kerberos database as a whole.
Kdb5_util
provides a means to create, delete, load, or dump a
Kerberos database. It also includes a command to stash a copy of the
master database key in a file on a KDC, so that the KDC can authenticate
itself to the kadmind
and krb5kdc
daemons at boot time.
To dump a Kerberos database into a file, use the kdb5_util
dump
command on one of the KDCs. The syntax is:
kdb5_util dump [-old] [-b6] [-ov] [-verbose] [filename [principals...]]
The kdb5_util dump
command takes the following options:
For example:
shell% kdb5_util dump dumpfile shell%
shell% kbd5_util dump -verbose dumpfile kadmin/admin@BLEEP.COM krbtgt/BLEEP.COM@BLEEP.COM kadmin/history@BLEEP.COM K/M@BLEEP.COM kadmin/changepw@BLEEP.COM shell%
The following is a simple example from a Windows NT system:
shell% kdb5_util dump c:\cygnus\KERBNET\lib\krb5kdc\dbdump
If you specify which principals to dump, you must use the full principal, as in the following example. (The line beginning with => is a continuation of the previous line.):
shell% kdb5_util dump -verbose dumpfile K/M@BLEEP.COM => kadmin/admin@BLEEP.COM kadmin/admin@BLEEP.COM K/M@BLEEP.COM shell%
Otherwise, the principals will not match those in the database and will not be dumped:
shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin shell%
If you do not specify a dump file, kdb5_util
will dump the
database to the standard output.
To restore a Kerberos database dump from a file, use the
kdb5_util
load
command on one of the KDCs. The syntax
is:
kdb5_util load [-old] [-b6] [-ov] [-verbose] [-update] dumpfilename dbname [admin_dbname]
The kdb5_util load
command takes the following options:
For example:
shell% kdb5_util load dumpfile principal shell%
shell% kdb5_util load -update dumpfile principal shell%
If the database file exists, and the -update flag was not given,
kdb5_util
will overwrite the existing database.
A stash file allows a KDC to authenticate itself to the database
utilities, such as kadmin
, kadmind
, krb5kdc
, and
kdb5_util
.
To create a stash file, use the kdb5_util
stash
command.
The syntax is:
kdb5_util stash [-f keyfile]
For example:
shell% kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Type the KDC database master password. shell%
If you do not specify a stash file, kdb5_util
will stash the key
in the file specified in your kdc.conf
file.
If you need to create a new Kerberos database, use the kdb5_util
create
command. The syntax is:
kdb5_util create [-s]
If you specify the `-s' option, kdb5_util
will stash a copy
of the master key in a stash file. (See section Creating a Stash File.) For
example:
shell% /usr/cygnus/kerbnet/sbin/kdb5_util -r BLEEP.COM create -s kdb5_util: No such file or directory while setting active database to '/krb5/principal' Initializing database '/usr/cygnus/kerbnet/lib/krb5kdc/principal' for => realm 'BLEEP.COM', master key name 'K/M@BLEEP.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell%
It is possible that the Kerberos database could become corrupted. If this happens on one of the slave KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the master KDC, the corrupted database would be propagated to all of the slaves during the next propagation. For this reason, Cygnus Solutions recommends that you back up your Kerberos database regularly. Because the master KDC is continuously dumping the database to a file in order to propagate it to the slave KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the master KDC. (See section Restoring a Kerberos Database from a Dump File.)
If you need to install the KerbNet programs on an application server, please refer to the KerbNet Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see section Adding or Modifying Principals), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs.
A keytab is a host's copy of its own keylist, which is analogous
to a user's password. An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key. Just as it is important for users to protect their passwords,
it is equally important for hosts to protect their keytabs. You should
always store keytab files on local disk, and make them readable only by
root, and you should never send a keytab file over a network in the
clear. Ideally, you should run the kadmin
command or use the
Admin GUI to create a keytab on the host on which the keytab is to
reside.
A keytab lists various principals and their keys. For a non-user principal, such as a service, the only way to get access to the key is through a keytab (unlike a user principal, which can access its key directly by using a password). To add a principal to a keytab so that its key can be used, you have to be able to get the principal's key from the Kerberos database. This process is called extraction and it not only places a hashed copy of the key in the keytab but it also changes the key so that any previously extracted copies in other keytabs become invalid.
The next two sections of this chapter explain how to create keytabs using the Admin GUI and the command line.
The Key Version Number (kvno) for a principal records how many times the key has been changed; the kvno of a newly-created principal is 0. Every time the principal is extracted from the database to a keytab, its key changes, and its kvno increments by 1.
The Fileselect dialog opens.
The Keytab Editing dialog appears.
The Fileselect dialog opens.
Specify the directory path if the keytab you want to modify is not stored in the directory listed above the File text box.
The value in the Mask text box acts as a filter for the files listed in the Fileselect dialog; the list displays all the principals in the database that contain the Mask string.
The Mask can contain the wildcard `*', which stands for any number of characters. Thus, the Mask `*.keytab' causes the list to display all files in the directory with the extension `/keytab'; the Mask `*' causes the list to display all the files in the directory.
When you click OK, the Keytab Editing dialog opens. This dialog lists all of the principals in the keytab. The kvno for each principal's key is listed in brackets next to the principal.
To generate a keytab, or to add a principal to an existing keytab, use
the ktadd
command from kadmin
, which requires the
"inquire" administrative privilege. (If you use the -glob
princ_exp option, it also requires the "list" administrative
privilege.) The syntax is:
ktadd [-k keytab] [-q] [principal | -glob princ_exp] [...]
The ktadd
command takes the following switches:
ktadd
will use the
default keytab file (/etc/v5srvtab
).
ktadd
to display less verbose
information.
list_principals
(see section Retrieving a List of Principals) command.
For example:
kadmin: ktadd host/daffodil.bleep.com@BLEEP.COM kadmin: Entry for principal host/daffodil.bleep.com@BLEEP.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/v5srvtab. kadmin:
kadmin: ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw kadmin: Entry for principal kadmin/admin@BLEEP.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/krb5/kadmind.keytab. kadmin:
On a Windows NT system the prefix `WRFILE:' must be used as in the following exaple:
kadmin.local: ktadd -k WRFILE:C:\CYGNUS\KERBNET\LIB\KRB5KDC\KADM5.KEYTAB => kadmin/admin kadmin/changepw
To remove a principal from an existing keytab, use the kadmin
ktremove
command. The syntax is:
ktremove [-k keytab] [-q] principal [kvno | all | old]
The ktremove
command takes the following switches:
ktremove
will use
the default keytab file (/etc/v5srvtab
).
ktremove
to display less verbose
information.
For example:
kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin kadmin: Entry for principal kadmin/admin with kvno 3 removed from keytab WRFILE:/krb5/kadmind.keytab. kadmin:
You can list the entries in a keytab by using the klist
command with
the -k
option. For example:
# klist -k Keytab name: /etc/v5srvtab KVNO Principal ---- ------------------------------------------------------------ 1 host/daffodil.bleep.com@BLEEP.COM
When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See the above sections for information on generating keytabs.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's administration password, i.e., the root or Administrator user.
In order to prevent intruders from resetting their system clocks in
order to continue to use expired tickets, KerbNet is set up to
reject ticket requests from any host whose clock is not within the
specified maximum clock skew of the KDC (as specified in the
kdc.conf
file). Similarly, hosts are configured to reject
responses from any KDC whose clock is not within the specified maximum
clock skew of the host (as specified in the krb5.conf
file). The
default value for maximum clock skew is 300 seconds (five minutes).
Cygnus Solutions suggests that you add a line to client machines'
/etc/rc
files to synchronize the machine's clock to your KDC at
boot time. On UNIX hosts, assuming you had a kdc called
kerberos
in your realm, this would be:
gettime -s kerberos
If the host is not likely to be rebooted frequently, you may also want to set up a cron job that adjusts the time on a regular basis.
Several aspects of Kerberos rely on name service. In order for Kerberos
to provide its high level of security, it is less forgiving of name
service problems than some other parts of your network. It is important
that your name service, whether /etc/hosts
, NIS or Distributed
Name Service (DNS), have the correct information.
Each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name.
Other than the localhost
entry, make all entries in each
machine's /etc/hosts
or NIS map file in the following form:
IP address fully-qualified hostname aliases
Here is a sample /etc/hosts
file:
# this is a comment 127.0.0.1 localhost localhost@bleep.com 129.0.35.44 daffodil.bleep.com trillium wake-robin
Additionally, on Solaris machines, you need to be sure the "hosts"
entry in the file /etc/nsswitch.conf
includes the source "dns"
as well as "file".
Finally, each host's keytab file must include a host/key pair for the
host's canonical name. You can list the keys in a keytab file by
issuing the command klist -k
. (See section Listing Keytabs.)
If you telnet to the host with a fresh credentials cache (ticket file),
and then klist
, the host's service principal should appear as
host/fully-qualified-hostname@REALM_NAME.
If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a slave KDC outside your firewall, or you configure your firewall to allow UDP requests into to at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's kdc.conf file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server. The default port for the admin server is 749.
If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests on port 88. Additionally, if they will need to get to any Kerberos V4 KDCs, you will also need to allow TCP and UDP requests on port 750. (See the document Upgrading to KerbNet from Kerberos V4 for additional information about using Kerberos V4 and KerbNet concurrently.) If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749.
If any of your KDCs is outside your firewall, you will need to allow
kprop
requests to get through to the remote KDC. Kprop
uses the krb5_prop service on port 754 (tcp).
If you need your off-site users to have access to machines inside your
firewall, you need to allow TCP connections from their off-site hosts on
the appropriate ports for the programs they will be using. The
following lines from /etc/services
show the default port numbers
for the KerbNet programs:
ftp 21/tcp # Kerberos ftp and telnet use the telnet 23/tcp # default ports kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp cmd # and remote shell kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw krb5_prop 754/tcp # Kerberos slave propagation eklogin 2105/tcp # Kerberos auth. & encrypted rlogin krb524 4444/tcp # Kerberos 5 to 4 ticket translator
By default, KerbNet telnet
and ftp
use the same
ports as the standard telnet
and ftp
programs, so if you
already allow telnet and ftp connections through your firewall, the
KerbNet versions will get through as well. If you do not
already allow telnet and ftp connections through your firewall, but need
your users to be able to use KerbNet telnet and ftp, you can
either allow ftp and telnet connections on the standard ports, or switch
these programs to non-default port numbers and allow ftp and telnet
connections on those ports to get through.
KerbNet rlogin
uses the klogin
service, which by
default uses port 543. Encrypted KerbNet rlogin uses uses the
eklogin
service, which by default uses port 2105.
KerbNet rsh
uses the kshell
service, which by
default uses port 544. However, the server must be able to make a TCP
connection from the kshell port to an arbitrary port on the client, so
if your users are to be able to use rsh
from outside your
firewall, the server they connect to must be able to send outgoing
packets to arbitrary port numbers. Similarly, if your users need to run
rsh
from inside your firewall to hosts outside your firewall, the
outside server needs to be able to connect to an arbitrary port on the
machine inside your firewall. Because KerbNet rcp
and
krdist
use rsh
, the same issues apply to these programs.
If you need to use rsh
(or rcp
or krdist
) through
your firewall and are concerned with the security implications of
allowing connections to arbitrary ports, Cygnus Solutions suggests that
you have rules that specifically name these applications and, if
possible, list the allowed hosts.
A reasonably good cookbook for configuring firewalls is available by FTP
from ftp.livingston.com
, in the location:
/pub/firewall/firewall-1.1.ps.Z
. The book UNIX System
Security, by David Curry, is also a good starting point.
The krb5.conf
file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms. Normally,
you should install your krb5.conf
file in the directory
/etc
. You can override the default location by setting the
environment variable `KRB5_CONFIG'.
The krb5.conf
file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
section may contain zero or more relations, of the form:
foo = bar
or
fubar = { foo = bar baz = quux }
The krb5.conf
file may contain any or all of the following seven
sections:
The libdefaults
section may contain any of the following
relations:
login
and Xdm
. It is an additional
bit of protection against name service attacks on hosts that use a
`host' key to verify the TGT the user decrypts on login. We
recommend this be set on such machines, particularly if they are on
insecure networks. It must not be set on machines without a
keytab
as it will prevent users from being able to log in.
Each tag in the [appdefaults] section names a Kerberos V5 application. The value of the tag is a subsection with relations that define the default behaviors for that application.
For example:
[appdefaults] rlogin = { forwardable = true forward = true encrypt = true } telnet = { forward = true encrypt = true autologin = true }
The list of specifiable options for each application may be found in that application's man pages.
Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection:
The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name, or a domain name, where domain names are indicated by a prefix of a period (`.'). The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case.
If no translation entry applies, the host's realm is considered to be the hostname's domain portion converted to upper case. For example, the following [domain_realm] section:
[domain_realm] bleep.com = BLEEP.COM crash.bleep.com = TEST.BLEEP.COM fubar.org = FUBAR.ORG
maps crash.bleep.com into the TEST.BLEEP.COM realm. All other hosts in the bleep.com domain will map by default to the BLEEP.COM realm, and all hosts in the fubar.org domain will map by default into the FUBAR.ORG realm. Note the entries for the hosts bleep.com and fubar.org. Without these entries, these hosts would be mapped into the Kerberos realms `COM' and `ORG', respectively.
Values are of the following forms:
The severity argument specifies the default severity of system log
messages. This may be any of the following severities supported by the
syslog(3)
call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT,
LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.
For example, a value of `CRIT' would specify LOG_CRIT severity.
The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH.
In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file /var/adm/kadmin.log and sent to the device /dev/tty04.
[logging] kdc = CONSOLE kdc = SYSLOG:INFO:DAEMON admin_server = FILE:/var/adm/kadmin.log admin_server = DEVICE=/dev/tty04
In order to perform direct (non-hierarchical) cross-realm authentication, a database is needed to construct the authentication paths between the realms. This section defines that database.
A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used be the client, by checking the transited field of the received ticket.
There is a tag for each participating realm, and each tag has subtags for each of the realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowd to participate.
There are n squared possible entries in this table, but only those entries which will be needed on the client or the server need to be present. The client needs a tag for its local realm, with subtags for all the realms of servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve.
For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV which will authenticate with NERSC.GOV but not PNL.GOV. The [capath] section for ANL.GOV systems would look like this:
[capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . }
The [capath] section of the configuration file used on NERSC.GOV systems would look like this:
[capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET }
In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to determing the path. (It is not important to the server, since the transited field is not sorted.)
This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE 1.1 did not fill in the transited field, and should be used with caution.
The [kdc] section is used to define configuration information necessary
for a KDC to find the KDC configuration file (kdc.conf
) if it is
not in the default location. The only tag used in this section would be
`profile', which would be set to the location of the KDC
configuration file.
Here is an example of a generic krb5.conf
file:
[libdefaults] ticket_lifetime = 600 default_realm = BLEEP.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] BLEEP.COM = { kdc = kerberos.bleep.com kdc = kerberos-1.bleep.com kdc = kerberos-2.bleep.com admin_server = kerberos.bleep.com default_domain = bleep.com } FUBAR.ORG = { kdc = kerberos.fubar.org kdc = kerberos-1.fubar.org admin_server = kerberos.fubar.org } [domain_realm] bleep.com = BLEEP.COM [logging] kdc = FILE:/usr/cygnus/kerbnet/lib/krb5kdc/kdc.log admin_server = FILE:/usr/cygnus/kerbnet/lib/krb5kdc/kadmin.log
l
The kdc.conf
file contains KDC configuration information,
including defaults used when issuing Kerberos tickets. Normally, you
should install your kdc.conf
file in the directory
/usr/cygnus/kerbnet/lib/krb5kdc
. You can override the default
location by setting the environment variable `KRB5_KDC_PROFILE'.
The kdc.conf
file is set up in the same format as the
krb5.conf
file. (See section krb5.conf.) The kdc.conf
file
may contain any or all of the following two sections:
The following relation is defined in the [kdcdefaults] section:
Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.
For each realm, the following tags may be specified in the [realms] subsection:
/usr/cygnus/kerbnet/lib/krb5kdc/kadm5.acl
.
/usr/cygnus/kerbnet/lib/krb5kdc/kadm5.keytab
.
/usr/cygnus/kerbnet/lib/krb5kdc/principal
.
This is the list of flags and how to set them to different from the default case:
-postdateable -forwardable -tgt-based -renewable -proxiable -dup-skey -allow-tickets -service +preauth +hwauth +pwchange +pwservice
The argument is a list of flags, preceded by + to indicate set, and - to indicate unset, separated by spaces, tabs, or commas. For example:
default_principal_flags = -forwardable -renewable +preauth
This would disallow forwardable tickets, disallow renewable tickets and require preauthentication for all priciples by default.
/usr/cygnus/kerbnet/lib/krb5kdc/kadm5.dict
.
kdb5_util stash
). The default is
/usr/cygnus/kerbnet/lib/krb5kdc/.k5.REALM
, where REALM is the
Kerberos realm.
/etc/krb5.conf
).
Here's an example of a kdc.conf
file:
[kdcdefaults] kdc_ports = 88 [realms] BLEEP.COM = { kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 }
Because the directory into which KerbNet installs itself contains the release name, it is easy to install a new release of KerbNet, and to de-install an old one. If you have a problem with a new release, it is equally easy to revert to the earlier release. These procedures will also work if you are updating from any other version of Kerberos V5.
To update a KDC from an earlier version of KerbNet or of Kerberos V5, you need to do the following:
kdc.conf
file and stash file from the old installation
to the new one. For example, if you were upgrading from KerbNet
version 1.1 to version 1.2, you would have
to copy these files from the directory /usr/cygnus/kerbnet-1.1 to the
directory /usr/cygnus/kerbnet-1.2. Be sure the new copy of the stash file
has the correct name. (The default is .k5.REALM
, where REALM is
your realm name, unless you have specified something different in your
kdc.conf
file.)
kdb5_dump
command).
kdb5_util
load
command. Be sure to give load
the argument for the correct dump format.
/usr/kerbnet
) so that they point to the new
installation.
To update a client or application server, you need only to install the new release and change any symbolic links to point to the new programs. Other than any functionality changes in the programs, the upgrade should be completely user-transparent.
The following functionalities are supported for KerbNet, provided that they are installed and used as described in the documentation.
Cygnus Solutions supports only DES-CRC keys. Other encryption types are not supported at this time.
Directly-keyed cross-realm authentication is supported. Hierarchal cross-realm authentication is not supported.
Use of local (kadmin.local) and remote (kadmin) client is supported. Command-line specification of Kerberos Realm, principal, credentials cache location, keytab, password, admin server and port, and specific query is supported for the remote client. Command-line specification of Kerberos realm, principal, database name, encryption type and salt type, and authentication using the database master password is supported for the local client. Execution of a single query or of multiple queries through the command's subshell is supported.
For both clients, the following functions are supported:
Adding or modifying principals including: explicit setting of password (specified or random; add only), expiration dates for principal and password, setting of maximum ticket life and maximum renewable life, key version number, policy used by that principal, clearing of policy from principal (modify only) and need to change password flag is supported.
Allowing/disallowing a principal to obtain: any tickets, postdated tickets, forwardable tickets, renewable tickets, proxiable tickets, user-to-user authentication, service tickets, ticket-granting service tickets, and password changing service tickets is supported.
Requiring timestamp preauthentication or hardware preauthentication for a principal is supported.
Renaming, deletion, passward changing (random or specified) of principals is supported.
Creation and modification of policies, including minimum and maximum password lifetimes, minimum length and number of character classes in password, and number of previous passwords stored is supported.
Retrieval and listing of principals and policies from the database is supported.
Addition and deletion of principals from V5 keytabs is supported. Specific removal of keys by specific key version number (kvno), and removal of all but the most recent kvno is supported.
Encrypted propagation of a database dump from the master KDC to slave
KDCs via the kpropd
daemon is supported.
Obtaining of Kerberos V5 tickets via a user-entered password or a keytab for a default or specified principal is supported. Specification of credentials cache location and ticket lifetime is supported. Obtaining of forwardable, proxiable, renewable, and/or postdated tickets is supported. Renewing of renewable tickets and validation of postdated tickets is supported. Hardware preauthentication via challenge/response on SNK4 device from Digital Pathways is supported. Configuring default behavior regarding proixable or forwardable tickets via the krb5.conf file is supported.
Listing of Kerberos V5 tickets is supported. Specification of credentials cache or keytab file is supported. Optional listing of encryption types, flags, time entry timestamps, and encryption key values is supported. Silent behavior (suppression of output to stdout) is supported.
Destruction of Kerberos tickets is supported. Specification of credentials cache location is supported (required for a Kerberos V4 ticket file). Suppression of audible signal upon failure to destroy tickets is supported.
Changing of Kerberos passwords is supported. Specification of Kerberos principal is supported.
Logging in on the console of users who appear in /etc/passwd with their Kerberos passwords, along with issuance of Kerberos V5 tickets, and authentication to the local machine is supported. Configuration of issuance of tickets via krb5.conf file is supported.
Issuance of AFS tokens is supported only for customers who purchase AFS support for KerbNet. Use of the login.krb5 program at the command prompt as a means of switching user ID is not supported.
Logging in under X of users who appear in /etc/passwd with their
kerberos password, along with issuance of Kerberos V5 tickets, and
authentication to the local machine is supported. Rebuilding xdm
from source code is supported only if the X installation matches that
required by the configure scripts.
The XDMCP protocol is not supported; remote displays must be explicitly listed in configuration file.
Kerberos authentication to remote host running KerbNet
kshd
and execution of remote command(s) is supported.
Specification of Kerberos realm, encryption or non-encryption,
forwarding or non-forwarding of forwardable tickets, forwardability or
non-forwardability of forwarded tickets, and/or username on the remote
host is supported. Configuring default behavior regarding encryption,
forwarding, and forwardability of forwarded tickets via the krb5.conf
file is supported.
For the kshd
daemon, specification of required Kerberos V5 and/or
Kerberos V4 authentication, required checksums for Kerberos V5 (not
compatible with earlier versions (beta 6 and earlier) of Kerberos V5),
and rejection of non-Kerberos authenticated connections is supported.
Other functionalities are supported only to the extent that behavior is consistent with non-Kerberos, non-vendor-enhanced versions of these programs.
Kerberos V5 authentication to remote host(s) running KerbNet
kshd
and copying of file(s) to and/or from remote host(s) is
supported. Specification of Kerberos realm and encryption or
non-encryption is supported. Configuring default behavior regarding
encryption via the krb5.conf file is supported.
Other functionalities are supported only to the extent that behavior is consistent with non-Kerberos, non-vendor-enhanced versions of these programs.
Kerberos V5 authentication to remote host running KerbNet
telnetd
and connection to that remote host using the TELNET
protocal is supported. Specification of Kerberos realm, encryption or
non-encryption, forwarding or non-forwarding of forwardable tickets,
forwardability or non-forwardability of forwarded tickets, username on
the remote host, or autologin or non-autologin is supported.
Enabling/disabling of authentication, encryption (on input and/or
output), and autologin at the telnet>
prompt is supported.
Configuring default behavior regarding encryption, forwarding, forwardability of forwarded tickets, and autologin via the krb5.conf file is supported.
For the telnetd
daemon, specification of required Kerberos
authentication is supported.
Other functionalities are supported only to the extent that behavior is consistent with non-Kerberos, non-vendor-enhanced versions of these programs.
Kerberos V5 authentication to remote host running KerbNet
klogind
and connection to that remote host using the rlogin
protocal is supported. Specification of Kerberos realm, encryption or
non-encryption, forwarding or non-forwarding of forwardable tickets,
forwardability or non-forwardability of forwarded tickets, and username
on the remote host is supported.
Configuring default behavior regarding encryption, forwarding, and forwardability of forwarded tickets via the krb5.conf file is supported.
For the klogind
daemon, specification of required Kerberos V5
and/or Kerberos V4 authentication, required checksums for Kerberos V5
(not compatible with earlier versions (beta 6 and earlier) of Kerberos
V5), and rejection of non-Kerberos authenticated connections is
supported.
Other functionalities are supported only to the extent that behavior is consistent with non-Kerberos, non-vendor-enhanced versions of these programs.
Kerberos V5 authentication to remote host running KerbNet
ftpd
, connection to the remote host using the FTP protocol, and
file transfer to or from the remote host using the FTP protocol is
supported. Specification of Kerberos realm and forwarding of tickets is
supported. Specification of data integrity checking (via cryptographic
checksum) and/or encryption at the ftp>
prompt is supported.
For the ftpd
daemon, specification of the Kerberos Configuration
(krb5.conf) file, and required Kerberos authentication is supported.
Other functionalities are supported only to the extent that behavior is consistent with non-Kerberos, non-vendor-enhanced versions of these programs.
Kerberos V5 authentication and switching of user ID by ksu
to the
target user if the requesting user is listed in the target user's
~/.k5login file is supported. Execution of specific commands through
ksu
if the requesting user is listed in the target user's
~/.k5login or ~/.k5users file is supported. Kerberos V5
preauthentication via challenge/response on SNK4 device from Digital
Pathways is supported.
As with the other KerbNet binaries, the send-pr
program
is installed in the directory /usr/cygnus/kerbnet/bin
.
Before using send-pr
for the first time, you need to install your
customer support ID into the program, by typing the command:
shell% install-sid customerID
replacing customerID with your customer ID, which your sales representative will supply.
The send-pr
program enters the problem report into our Problem
Report Management System (PRMS), which automatically assigns it to the
engineer best able to help you with problems in the assigned category.
The engineer will work with you via email, telephone, or both, and all
email related to this Problem Report will be tracked by PRMS for future
reference. If the engineer does not reply to you after a certain time,
a reminder is automatically generated. If you need to talk to someone
else in our organization about the problem (e.g., if the engineer
gets hit by a truck), we can find out what the current state is through
the PR number. Cygnus Solutions uses PRMS for almost all of the real
problems we handle.
The send-pr
program will try to intelligently fill in as many
fields as it can. You need to choose the category, class,
severity, and priority of the problem, as well as giving us
as much information as you can about its exact nature.
The PR category will be one of:
kerberos kerbnet doc help-request info-request install query-pr id-request send-pr
In general, if specific knowledge about Kerberos is requried to answer a PR, use the kerberos or doc categories. The install category is for problems retrieving the code off the media (e.g., the data on a tape seems to be corrupted.) Questions about the installation procedures described in this document would fall under the category kerberos. The help-request and info-request categories are for general questions about your contract, or other issues not necessarily related to KerbNet. Use query-pr to receive a current copy of your Problem Report, id-request if you need a customer ID, and send-pr if you're having trouble using send-pr. If your question is related to KerbNet and you're not sure what the most appropriate category should be, use kerberos. The engineer can change the category if necessary.
The class can be sw-bug, doc-bug, change-request, or support. The first two are exactly as their names imply. The change-request class is to inform us of changes, such as new email addresses or new contact information. The support class is intended for general questions about using the KerbNet clients or libraries.
The severity of the problem indicates the problem's impact on the usability of the KerbNet software package. If a problem is critical, that means the product, component or concept is completely non-operational, or some essential functionality is missing, and no workaround is known. A serious problem is one in which the product, component or concept is not working properly or significant functionality is missing. Problems that would otherwise be considered critical are rated serious when a workaround is known. A non-critical problem is one that is indeed a problem, but one that is having a minimal affect on your ability to use KerbNet. E.g., The product, component or concept is working in general, but lacks features, has irritating behavior, does something wrong, or doesn't match its documentation. The default severity is serious.
The priority indicates how urgent this particular problem is in relation to your work. Note that low priority does not imply low importance. Cygnus Solutions considers all problems important, and encourages its customers to be realistic about priority ratings. A priority of high means a solution is needed as soon as possible. A priority of medium means the problem should be solved no later than the next release. A priority of low means the problem should be solved in a future release, but it is not important to your work how soon this happens. The default priority is medium.
Note that a given severity does not necessarily imply a given priority. For example, a non-critical problem might still have a high priority if you are faced with a hard deadline. Conversely, a serious problem might have a low priority if the feature it is disabling is one that you do not need.
The release is as labeled on the software that was shipped.
e.g., kerbnet-1.2
. It is important
that you tell us which release you are using, and whether or not you
have made any private changes.
Bug reports that include proposed fixes are especially welcome. If you include proposed fixes, please send them using either context diffs (`diff -c') or unified diffs (`diff -u').
l
A sample filled-out form from a company named "Toasters, Inc." might look like this:
To: bugs@cygnus.com Subject: "KDC reply did not match expectations" error From: joe.smith@toasters.com Reply-To: joe.smith@toasters.com X-send-pr-version: 3.97-96q1 >Submitter-Id: toastersinc >Confidential: yes >Originator: Joe Smith (+1 415 903 1400) >Organization: ----- Joe Smith joe.smith@toasters.com Toasters, Inc. "The best UI in the world" >Synopsis: "KDC reply did not match expectations" error message >Severity: non-critical >Priority: low >Category: kerberos >Class: sw-bug >Release: kerbnet-1.2 >Environment: NetBSD viola 1.1 NetBSD 1.1 (ATHENAADP) #0: Tue May 21 00:31:42 EDT 1996 i386 System: Intel P166 Architecture: NetBSD >Description: <description of problem goes here> Getting "KDC reply did not match expectations" message. This does not seem to be affecting anything else. >How-To-Repeat: <If the Problem Report is marked "Confidential: yes",> <it will not be available to anyone but our engineers,> <please contact us if you are concerned about sensitive source> <code.> It happens when I type kinit. >Fix: <If you have already found a correct way to stop this problem,> <please let us know!> None. Sorry.
l
If the send-pr
program does not work for you, you can use the
following template instead:
To: bugs@cygnus.com Subject: From: Reply-To: X-send-pr-version: none (typed manually) >Submitter-Id: >Originator: >Organization: <organization of PR author (multiple lines)> >Confidential: <[ yes | no ] (one line)> >Synopsis: <synopsis of the problem (one line)> >Severity: <[ non-critical | serious | critical ] (one line)> >Priority: <[ low | medium | high ] (one line)> >Category: <name of the product (one line)> >Class: <[ sw-bug | doc-bug | change-request | support ] (one line)> >Release: cns-9?q? >Environment: <machine, os, target, libraries (multiple lines)> System: Architecture: >Description: <precise description of the problem (multiple lines)> >How-To-Repeat: <code/input/activities to reproduce the problem (multiple lines)> >Fix: <how to correct or work around the problem, if known (multiple lines)>
This is the Kerberos v5 library error code table. Protocol error codes are ERROR_TABLE_BASE_krb5 + the protocol error code number; other error codes start at ERROR_TABLE_BASE_krb5 + 128.
This is the Kerberos v5 database library error code table.
This is the Kerberos v5 magic numbers error code table.
Generic GSSAPI Errors:
Kerberos 5 GSSAPI Errors:
This is a complete listing of the time zones recognized by the
kadmin
command.