Copyright (C) 1985-2001 by the Massachusetts Institute of Technology.
Export of software employing encryption from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
@hrule
The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.
@hrule
Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice:
Copyright (C) 1983 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
This product includes software developed by the University of California, Berkeley and its contributors.
@hrule
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions. @pagealignmacro
Since Kerberos negotiates authenticated, and optionally encrypted, communications between two points anywhere on the internet, it provides a layer of security that is not dependent on which side of a firewall either client is on. Since studies have shown that half of the computer security breaches in industry happen from inside firewalls, Kerberos V5 from MIT will play a vital role in the security of your network.
This document is one piece of the document set for Kerberos V5. The documents, and their intended audiences, are:
The next chapter describes how Kerberos works.
Chapter three describes administration of the principals in the Kerberos database.
Chapter four describes administrative programs for manipulating the Kerberos database as a whole.
Chapter five describes issues to consider when adding an application server to the database.
Chapter six describes our problem reporting system.
The appendices include sample configuration files, the list of Kerberos
error messages, and a complete list of the time zones understood by
kadmin.
This section provides a simplified description of a general user's
interaction with the Kerberos system. This interaction happens
transparently--users don't need to know and probably don't care about
what's going on--but Kerberos administrators might find a schematic
description of the process useful. This description glosses over a lot
of details; for more information, see Kerberos: An Authentication
Service for Open Network Systems, a paper presented at Winter USENIX
1988, in Dallas, Texas. This paper can be retreived by FTP from
athena-dist.mit.edu, in the location:
/pub/ATHENA/kerberos/doc/USENIX.ps.
In an environment that provides network services, you use client programs to request services from server programs that are somewhere on the network. Suppose you have logged in to a workstation and you want to `rlogin' to a typical UNIX host. You use the local `rlogin' client program to contact the remote machine's `rlogind' daemon.
Under Kerberos, the `klogind' daemon allows you to login to a remote machine if you can provide `klogind' a Kerberos ticket which proves your identity. In addition to the ticket, you must also have possession of the corresponding ticket session key. The combination of a ticket and the ticket's session key is known as a credential.
Typically, a client program automatically obtains credentials identifying the person using the client program. The credentials are obtained from a Kerberos server that resides somewhere on the network. A Kerberos server maintains a database of user, server, and password information.
Kerberos will give you credentials only if you have an entry in the Kerberos server's Kerberos database. Your database entry includes your Kerberos principal (an identifying string, which is often just your username), and your Kerberos password. Every Kerberos user must have an entry in this database.
Each administrative domain will have its own Kerberos database, which contains information about the users and services for that particular site or administrative domain. This administrative domain is the Kerberos realm.
Each Kerberos realm will have at least one Kerberos server, where the master Kerberos database for that site or administrative domain is stored. A Kerberos realm may also have one or more slave servers, which have read-only copies of the Kerberos database that are periodically propagated from the master server. For more details on how this is done, see the "Set Up the Slave KDCs for Database Propagation" and "Propagate the Database to Each Slave KDC" sections of the Kerberos V5 Installation Guide.
The `kinit' command prompts for your password. If you enter it successfully, you will obtain a ticket-granting ticket and a ticket session key which gives you the right to use the ticket. This combination of the ticket and its associated key is known as your credentials. As illustrated below, client programs use your ticket-granting ticket credentials in order to obtain client-specific credentials as needed.
Your credentials are stored in a credentials cache, which is often
just a file in /tmp. The credentials cache is also called the
ticket file, especially in Kerberos V4 documentation. Note,
however, that a credentials cache does not have to be stored in a file.
The master database also contains entries for all network services that require Kerberos authentication. Suppose that your site has a machine, `laughter.mit.edu', that requires Kerberos authentication from anyone who wants to `rlogin' to it. The host's Kerberos realm is `ATHENA.MIT.EDU'.
This service must be registered in the Kerberos database, using the proper service name, which in this case is the principal:
host/laughter.mit.edu@ATHENA.MIT.EDU
The `/' character separates the Kerberos primary (in this case, `host') from the instance (in this case, `laughter.mit.edu'); the `@' character separates the realm name (in this case, `ATHENA.MIT.EDU') from the rest of the principal. The primary, `host', denotes the name or type of the service that is being offered: generic host-level access to the machine. The instance, `laughter.mit.edu', names the specific machine that is offering this service. There will generally be many different machines, each offering one particular type of service, and the instance serves to give each one of these servers a different Kerberos principal.
For each service, there must also be a service key known only by Kerberos and the service. On the Kerberos server, the service key is stored in the Kerberos database.
On the server host, these service keys are stored in key tables,
which are files known as keytabs.(1) For example, the service keys used by
services that run as root are usually stored in the keytab file
/etc/krb5.keytab. N.B.: This service key is the equivalent
of the service's password, and must be kept secure. Data which is meant
to be read only by the service is encrypted using this key.
Suppose that you walk up to a host intending to login to it, and then `rlogin' to the machine `laughter'. Here's what happens:
host% rlogin laughter
klogind will let you
login.
Following are definitions of some of the Kerberos terminology.
telnet and
rsh), "ftp" (FTP), "krbtgt" (authentication;
cf. ticket-granting ticket), and "pop" (email).
The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms. Normally,
you should install your krb5.conf file in the directory
/etc. You can override the default location by setting the
environment variable `KRB5_CONFIG'.
The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
section may contain zero or more relations, of the form:
foo = bar
or
fubar = {
foo = bar
baz = quux
}
The krb5.conf file may contain any or all of the following seven
sections:
The libdefaults section may contain any of the following
relations:
Each tag in the [appdefaults] section names a Kerberos V5 application. The value of the tag is a subsection with relations that define the default behaviors for that application.
For example:
[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}
The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section.
Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection:
The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name, or a domain name, where domain names are indicated by a prefix of a period (`.'). The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case.
If no translation entry applies, the host's realm is considered to be the hostname's domain portion converted to upper case. For example, the following [domain_realm] section:
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
crash.mit.edu = TEST.ATHENA.MIT.EDU
fubar.org = FUBAR.ORG
maps crash.mit.edu into the TEST.ATHENA.MIT.EDU realm. All other hosts in the mit.edu domain will map by default to the ATHENA.MIT.EDU realm, and all hosts in the fubar.org domain will map by default into the FUBAR.ORG realm. Note the entries for the hosts mit.edu and fubar.org. Without these entries, these hosts would be mapped into the Kerberos realms `EDU' and `ORG', respectively.
The [logging] section indicates how a particular entity is to perform its logging. The relations in this section assign one or more values to the entity name. Currently, the following entities are used:
Values are of the following forms:
syslog(3) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT,
LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.
For example, a value of `CRIT' would specify LOG_CRIT severity.
The facility argument specifies the facility under which the messages
are logged. This may be any of the following facilities supported by
the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL,
LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and
LOG_LOCAL0 through LOG_LOCAL7.
If no severity is specified, the default is ERR. If no facility is
specified, the default is AUTH.
In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file /var/adm/kadmin.log and sent to the device /dev/tty04.
[logging]
kdc = CONSOLE
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/adm/kadmin.log
admin_server = DEVICE=/dev/tty04
In order to perform direct (non-hierarchical) cross-realm authentication, a database is needed to construct the authentication paths between the realms. This section defines that database.
A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used be the client, by checking the transited field of the received ticket.
There is a tag for each participating realm, and each tag has subtags for each of the realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowd to participate.
There are n**2 possible entries in this table, but only those entries which will be needed on the client or the server need to be present. The client needs a tag for its local realm, with subtags for all the realms of servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve.
For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV which will authenticate with NERSC.GOV but not PNL.GOV. The [capath] section for ANL.GOV systems would look like this:
[capaths]
ANL.GOV = {
TEST.ANL.GOV = .
PNL.GOV = ES.NET
NERSC.GOV = ES.NET
ES.NET = .
}
TEST.ANL.GOV = {
ANL.GOV = .
}
PNL.GOV = {
ANL.GOV = ES.NET
}
NERSC.GOV = {
ANL.GOV = ES.NET
}
ES.NET = {
ANL.GOV = .
}
The [capath] section of the configuration file used on NERSC.GOV systems would look like this:
[capaths]
NERSC.GOV = {
ANL.GOV = ES.NET
TEST.ANL.GOV = ES.NET
TEST.ANL.GOV = ANL.GOV
PNL.GOV = ES.NET
ES.NET = .
}
ANL.GOV = {
NERSC.GOV = ES.NET
}
PNL.GOV = {
NERSC.GOV = ES.NET
}
ES.NET = {
NERSC.GOV = .
}
TEST.ANL.GOV = {
NERSC.GOV = ANL.GOV
NERSC.GOV = ES.NET
}
In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to determing the path. (It is not important to the server, since the transited field is not sorted.)
This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE 1.1 did not fill in the transited field, and should be used with caution.
Here is an example of a generic krb5.conf file:
[libdefaults]
ticket_lifetime = 600
default_realm = ATHENA.MIT.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
FUBAR.ORG = {
kdc = kerberos.fubar.org
kdc = kerberos-1.fubar.org
admin_server = kerberos.fubar.org
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
@vfill
The kdc.conf file contains KDC configuration information,
including defaults used when issuing Kerberos tickets. Normally, you
should install your kdc.conf file in the directory
/usr/local/var/krb5kdc. You can override the default
location by setting the environment variable `KRB5_KDC_PROFILE'.
The kdc.conf file is set up in the same format as the
krb5.conf file. (See section krb5.conf.) The kdc.conf file
may contain any or all of the following three sections:
The following relation is defined in the [kdcdefaults] section:
Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.
For each realm, the following tags may be specified in the [realms] subsection:
/usr/local/var/krb5kdc/kadm5.acl.
/usr/local/var/krb5kdc/kadm5.keytab.
/usr/local/var/krb5kdc/principal.
/usr/local/var/krb5kdc/kadm5.dict.
kdb5_util stash). The default is
/usr/local/var/krb5kdc/.k5.REALM, where REALM is the
Kerberos realm.
kadmin will have keys of these types. If you do not yet wish to
enable triple-DES support, you should set this tag to
`des-cbc-crc:normal des-cbc-crc:v4'; otherwise, put
`des3-hmac-sha1:normal' at the beginning of the list.
true, false). If set to true, the
KDC will check the list of transited realms for cross-realm tickets
against the transit path computed from the realm names and the
capaths section of its krb5.conf file; if the path in the
ticket to be issued contains any realms not in the computed path, the
ticket will not be issued, and an error will be returned to the client
instead. If this value is set to false, such tickets will be
issued anyways, and it will be left up to the application server to
validate the realm transit path.
If the disable-transited-check flag is set in the incoming
request, this check is not performed at all. Having the
reject_bad_transit option will cause such ticket requests to be
rejected always.
This transit path checking and config file option currently apply only
to TGS requests.
Earlier versions of the MIT release (before 1.2.3) had bugs in the
application server support such that the server-side checks may not be
performed correctly. We recommend turning this option on, unless you
know that all application servers in this realm have been updated to
fixed versions of the software, and for whatever reason, you don't want
the KDC to do the validation.
This is a per-realm option so that multiple-realm KDCs may control it
separately for each realm, in case (for example) one realm has had the
software on its application servers updated but another has not.
This option defaults to true.
Here's an example of a kdc.conf file:
[kdcdefaults]
kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
}
[logging]
kdc = FILE:/usr/local/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
Your Kerberos database contains all of your realm's Kerberos principals,
their passwords, and other administrative information about each
principal. For the most part, you will use the kdb5_util program
to manipulate the Kerberos database as a whole, and the kadmin
program to make changes to the entries in the database. (One notable
exception is that users will use the kpasswd program to change
their own passwords.) The kadmin program has its own
command-line interface, to which you type the database administrating
commands.
Kdb5_util provides a means to create, delete, load, or dump a
Kerberos database. It also includes a command to stash a copy of the
master database key in a file on a KDC, so that the KDC can authenticate
itself to the kadmind and krb5kdc daemons at boot time.
Kadmin provides for the maintenance of Kerberos principals, KADM5
policies, and service key tables (keytabs). It exists as both a
Kerberos client, kadmin, using Kerberos authentication and an
RPC, to operate securely from anywhere on the network, and as a local
client, kadmin.local, intended to run directly on the KDC without
Kerberos authentication. Other than the fact that the remote client
uses Kerberos to authenticate the person using it, the functionalities
of the two versions are identical. The local version is necessary to
enable you to set up enough of the database to be able to use the remote
version. It replaces the now obsolete kdb5_edit (except for
database dump and load, which are provided by kdb5_util).
The remote version authenticates to the KADM5 server using the service
principal kadmin/admin. If the credentials cache contains a
ticket for the kadmin/admin principal, and the `-c ccache'
option is specified, that ticket is used to authenticate to KADM5.
Otherwise, the `-p' and `-k' options are used to specify the
client Kerberos principal name used to authenticate. Once kadmin has
determined the principal name, it requests a kadmin/admin
Kerberos service ticket from the KDC, and uses that service ticket to
authenticate to KADM5.
You can invoke kadmin with any of the following options:
kadmin will append admin to
either the primary principal name, the environment variable USER, or to
the username obtained grom getpwuid, in order of preference.
kadmin/admin
service, which can be acquired with the kinit program. If this
option is not specified, kadmin requests a new service ticket
from the KDC, and stores it in its own temporary ccache.
kadmin. This is useful for writing
scripts that pass specific queries to kadmin.
kadmin.local only.)
Sets the list of cryptosystem and salt types to be used for any new keys
created. Available types include `des3-cbc-sha1:normal',
`des-cbc-crc:normal', and `des-cbc-crc:v4'.
Many of the kadmin commands take a duration or time as an
argument. The date can appear in a wide variety of formats, such as:
"15 minutes" "7 days" "1 month" "2 hours" "400000 seconds" "next year" "this Monday" "next Monday" yesterday tomorrow now "second Monday" fortnight "3/31/1992 10:00:07 PST" "January 23, 2007 10:05pm" "22:00 GMT"
Two-digit years are allowed in places, but the use of this form is not recommended.
Note that if the date specification contains spaces, you must enclose it in double quotes. Note also that you cannot use a number without a unit. (I.e., ""60 seconds"" is correct, but "60" is incorrect.) All keywords are case-insensitive. The following is a list of all of the allowable keywords.
kadmin recognizes abbreviations for most of the world's time
zones. A complete listing appears in section kadmin Time Zones.
Each entry in the Kerberos database contains a Kerberos principal (see section Definitions) and the attributes and policies associated with that principal.
To retrieve a listing of the attributes and/or policies associated with
a principal, use the kadmin get_principal command, which
requires the "inquire" administrative privilege. The syntax is:
get_principal principal
The get_principal command has the alias getprinc.
For example, suppose you wanted to view the attributes of the principals
jennifer/root@ATHENA.MIT.EDU and
systest@ATHENA.MIT.EDU. You would type:
shell% kadmin kadmin: getprinc jennifer/root Principal: jennifer/root@ATHENA.MIT.EDU Key version: 3 Maximum life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Master key version: 1 Expires: Mon Jan 18 22:14:07 EDT 2038 Password expires: Mon Sep 19 14:40:00 EDT 1996 Password last changed: Mon Jan 31 02:06:40 EDT 1996 Last modified: by joeadmin/admin@ATHENA.MIT.EDU on Wed Jul 13 18:27:08 EDT 1996 Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, REQUIRES_HW_AUTH Salt type: DEFAULT kadmin:
The get_principal command has a -terse option, which lists
the fields as a quoted, tab-separated string. For example:
kadmin: getprinc -terse systest systest@ATHENA.MIT.EDU 3 86400 604800 1 785926535 753241234 785900000 joeadmin/admin@ATHENA.MIT.EDU 786100034 0 0 kadmin:
To generate a listing of principals, use the kadmin
list_principals command, which requires the "list" privilege.
The syntax is:
list_principals [expression]
where expression is a shell-style glob expression that can
contain the characters `*', `?', `[', and `]'. All
policy names matching the expression are displayed. The
list_principals command has the alias listprincs. For
example:
kadmin: listprincs test* test3@mit.edu test2@mit.edu test1@mit.edu testuser@mit.edu kadmin:
If no expression is provided, all principals are printed.
Administrative privileges for the Kerberos database are stored in the
file kadm5.acl. Each line of the file contains a principal, the
privileges that principal has, and optionally the target to which those
permissions apply. The privileges are represented by single letters;
UPPER-CASE letters represent negative permissions. The permissions are:
Principals in this file can include the * wildcard. Here is an
example of a kadm5.acl file. Note that order is important;
permissions are determined by the first matching entry.
*/admin@ATHENA.MIT.EDU * joeadmin@ATHENA.MIT.EDU ADMCIL joeadmin/*@ATHENA.MIT.EDU il jennifer/root@ATHENA.MIT.EDU cil */root@ATHENA.MIT.EDU */*@ATHENA.MIT.EDU i
In the above file, any principal with an admin instance
has all administrative privileges. The user joeadmin
has all permissions with his admin instance,
joeadmin/admin@ATHENA.MIT.EDU (matches the first
line). He has no permissions at all with his null instance,
joeadmin@ATHENA.MIT.EDU (matches the second
line). He has inquire and list permissions with any other
instance (matches the third line). When jennifer is
using her root
instance, jennifer/root@ATHENA.MIT.EDU, she has
change password, inquire, and list privileges for any other
principal that has the instance root. Finally, any principal in
the realm ATHENA.MIT.EDU (except for
joeadmin@ATHENA.MIT.EDU, as mentioned above)
has inquire privileges.
To add a principal to the database, use the kadmin add_principal
command, which requires the "add" administrative privilege. This
function creates the new principal and, if neither the -policy nor
-clearpolicy options are specified and the policy "default" exists,
assigns it that policy. The syntax is:
kadmin: add_principal [options] principal
To modify attributes of a principal, use the kadmin
modify_principal command, which requires the "modify"
administrative privilege. The syntax is:
kadmin: modify_principal [options] principal
add_principal has the aliases addprinc and
ank(2)
The add_principal and modify_principal commands take the
following switches:
modify_principal, removes the current policy from a
principal. For add_principal, suppresses the automatic
assignment of the policy "default".
modify_principal, the current policy assigned to the principal is
set or changed. With add_principal, if this option is not
supplied, the -clearpolicy is not specified, and the policy "default"
exists, that policy is assigned. If a principal is created with no
policy, kadmin will print a warning message.
modify_principal only).
add_principal
only). MIT recommends using this option for host keys.
add_principal only). MIT does
not recommend using this option.
If you want to just use the default values, all you need to do is:
kadmin: addprinc jennifer
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal jennifer@ATHENA.MIT.EDU: @doubleleftarrow{ Type the password.}
Re-enter password for principal jennifer@ATHENA.MIT.EDU: @doubleleftarrow{ Type it again.}
Principal "jennifer@ATHENA.MIT.EDU" created.
kadmin:
If, on the other hand, you want to set up an account that expires on January 1, 2000, that uses a policy called "stduser", with a temporary password (which you want the user to change immediately), you would type the following. (Note: each line beginning with => is a continuation of the previous line.)
kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser
=> +needchange
Enter password for principal david@ATHENA.MIT.EDU: @doubleleftarrow{ Type the password.}
Re-enter password for principal
david@ATHENA.MIT.EDU: @doubleleftarrow{ Type it again.}
Principal "david@ATHENA.MIT.EDU" created.
kadmin:
If you will need cross-realm authentication, you need to add principals
for the other realm's TGT to each realm. For example, if you need to do
cross-realm authentication between the realms ATHENA.MIT.EDU and
FUBAR.ORG, you would need to add the principals
`krbtgt/FUBAR.ORG@ATHENA.MIT.EDU' and
`krbtgt/ATHENA.MIT.EDU@FUBAR.ORG' to both
databases. You need to be sure the passwords and the key version
numbers (kvno) are the same in both databases. This may require
explicitly setting the kvno with the `-kvno' option.
To delete a principal, use the kadmin delete_principal command,
which requires the "delete" administrative privilege. The syntax is:
delete_principal [-force] principal
delete_principal has the alias delprinc. The
-force option causes delete_principal not to ask if you're
sure. For example:
kadmin: delprinc jennifer Are you sure you want to delete the principal "jennifer@ATHENA.MIT.EDU"? (yes/no): yes Principal "jennifer@ATHENA.MIT.EDU" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin:
To change a principal's password use the kadmin change_password
command, which requires the "modify" administrative privilege (unless
the principal is changing his/her own password). The syntax is:
change_password [options] principal
The change_password option has the alias cpw.
change_password takes the following options:
add_principal command (see section Adding or Modifying Principals).
For example:
kadmin: cpw david
Enter password for principal david@ATHENA.MIT.EDU: @doubleleftarrow{ Type the new password.}
Re-enter password for principal david@ATHENA.MIT.EDU: @doubleleftarrow{ Type it again.}
Password for david@ATHENA.MIT.EDU changed.
kadmin:
Note that change_password will not let you change the password to
one that is in the principal's password history.
A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database.
To retrieve a policy, use the kadmin get_policy command, which
requires the "inquire" administrative privilege. The syntax is:
get_policy [-terse] policy
The get_policy command has the alias getpol. For example:
kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin:
The reference count is the number of principals using that policy.
The get_policy command has a -terse option, which lists
each field as a quoted, tab-separated string. For example:
kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin:
You can retrieve the list of policies with the kadmin
list_policies command, which requires the "list" privilege. The
syntax is:
list_policies [expression]
where expression is a shell-style glob expression that can
contain the characters *, ?, and []. All policy names matching the
expression are displayed. The list_policies command has the alias
listpols. For example:
kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin:
To add a new policy, use the kadmin add_policy command, which
requires the "add" administrative privilege. The syntax is:
add_policy [options] policy_name
To modify attributes of a principal, use the kadmin modify_policy
command, which requires the "modify" administrative privilege. The
syntax is:
modify_policy [options] policy_name
add_policy has the alias addpol.
modify_poilcy has the alias modpol.
The add_policy and modify_policy commands take the
following switches:
To delete a policy, use the kadmin delete_policy command,
which requires the "delete" administrative privilege. The syntax is:
delete_policy policy_name
The delete_policy command has the alias delpol.
It prompts for confirmation before deletion.
For example:
kadmin: delete_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes Policy "guests" deleted. kadmin:
Note that you must cancel the policy from all principals before deleting
it. The delete_policy command will fail if it is in use by any
principals.
To dump a Kerberos database into a file, use the kdb5_util
dump command on one of the KDCs. The syntax is:
kdb5_util dump [-old] [-b6] [-b7] [-ov] [-verbose] [filename [principals...]]
The kdb5_util dump command takes the following options:
For example:
shell% kdb5_util dump dumpfile shell%
shell% kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU shell%
If you specify which principals to dump, you must use the full principal, as in the following example. (The line beginning with => is a continuation of the previous line.):
shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU => kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU shell%
Otherwise, the principals will not match those in the database and will not be dumped:
shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin shell%
If you do not specify a dump file, kdb5_util will dump the
database to the standard output.
To restore a Kerberos database dump from a file, use the
kdb5_util load command on one of the KDCs. The syntax
is:
kdb5_util load [-old] [-b6] [-b7] [-ov] [-verbose] [-update] dumpfilename dbname [admin_dbname]
The kdb5_util load command takes the following options:
For example:
shell% kdb5_util load dumpfile principal shell%
shell% kdb5_util load -update dumpfile principal shell%
If the database file exists, and the -update flag was not given,
kdb5_util will overwrite the existing database.
A stash file allows a KDC to authenticate itself to the database
utilities, such as kadmin, kadmind, krb5kdc, and
kdb5_util.
To create a stash file, use the kdb5_util stash command.
The syntax is:
kdb5_util stash [-f keyfile]
For example:
shell% kdb5_util stash
kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key: @doubleleftarrow{ Type the KDC database master password.}
shell%
If you do not specify a stash file, kdb5_util will stash the key
in the file specified in your kdc.conf file.
If you need to create a new Kerberos database, use the kdb5_util
create command. The syntax is:
kdb5_util create [-s]
If you specify the `-s' option, kdb5_util will stash a copy
of the master key in a stash file. (See section Creating a Stash File.) For
example:
shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU create -s
kdb5_util: No such file or directory while setting active database to
=> '/usr/local/var/krb5kdc/principal'
Initializing database '/usr/local/var/krb5kdc/principal' for
=> realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: @doubleleftarrow{ Type the master password.}
Re-enter KDC database master key to verify: @doubleleftarrow{ Type it again.}
shell%
If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see section Adding or Modifying Principals), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs.
A keytab is a host's copy of its own keylist, which is analogous
to a user's password. An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key. Just as it is important for users to protect their passwords,
it is equally important for hosts to protect their keytabs. You should
always store keytab files on local disk, and make them readable only by
root, and you should never send a keytab file over a network in the
clear. Ideally, you should run the kadmin command to extract a
keytab on the host on which the keytab is to reside.
To generate a keytab, or to add a principal to an existing keytab, use
the ktadd command from kadmin, which requires the
"inquire" administrative privilege. (If you use the -glob
princ_exp option, it also requires the "list" administrative
privilege.) The syntax is:
ktadd [-k keytab] [-q] [principal | -glob princ_exp] [...]
The ktadd command takes the following switches:
ktadd will use the
default keytab file (/etc/krb5.keytab).
ktadd to display less verbose
information.
list_principals (see section Retrieving a List of Principals) command.
Here is a sample session, using configuration files that enable only `des-cbc-crc' encryption. (The line beginning with => is a continuation of the previous line.)
kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
kadmin: Entry for principal host/daffodil.mit.edu@ATHENA.MIT.EDU with
kvno 2, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin:
kadmin: ktadd -k /usr/local/var/krb5kdc/kadmind.keytab
=> kadmin/admin kadmin/changepw
kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
kadmin:
To remove a principal to an existing keytab, use the kadmin
ktremove command. The syntax is:
ktremove [-k keytab] [-q] principal [kvno | all | old]
The ktremove command takes the following switches:
ktremove will use
the default keytab file (/etc/krb5.keytab).
ktremove to display less verbose
information.
For example:
kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
kadmin: Entry for principal kadmin/admin with kvno 3 removed
from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
kadmin:
In order to prevent intruders from resetting their system clocks in
order to continue to use expired tickets, Kerberos V5 is set up to
reject ticket requests from any host whose clock is not within the
specified maximum clock skew of the KDC (as specified in the
kdc.conf file). Similarly, hosts are configured to reject
responses from any KDC whose clock is not within the specified maximum
clock skew of the host (as specified in the krb5.conf file). The
default value for maximum clock skew is 300 seconds (five minutes).
MIT suggests that you add a line to client machines'
/etc/rc files to synchronize the machine's clock to your KDC at
boot time. On UNIX hosts, assuming you had a kdc called
kerberos in your realm, this would be:
gettime -s kerberos
If the host is not likely to be rebooted frequently, you may also want to set up a cron job that adjusts the time on a regular basis.
Several aspects of Kerberos rely on name service. In order for Kerberos to provide its high level of security, it is less forgiving of name service problems than some other parts of your network. It is important that your Domain Name System (DNS) entries and your hosts have the correct information.
Each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name.
Other than the localhost entry, make all entries in each
machine's /etc/hosts file in the following form:
IP address fully-qualified hostname aliases
Here is a sample /etc/hosts file:
# this is a comment 127.0.0.1 localhost localhost@mit.edu 10.0.0.6 daffodil.mit.edu trillium wake-robin
Additionally, on Solaris machines, you need to be sure the "hosts"
entry in the file
/etc/nsswitch.conf includes the source
"dns" as well as "file".
Finally, each host's keytab file must include a host/key pair for the
host's canonical name. You can list the keys in a keytab file by
issuing the command klist -k. For example:
viola# klist -k Keytab name: /etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------ 1 host/daffodil.mit.edu@ATHENA.MIT.EDU
If you telnet to the host with a fresh credentials cache (ticket file),
and then klist, the host's service principal should be
host/fully-qualified-hostname@REALM_NAME.
If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a slave KDC outside your firewall, or you configure your firewall to allow UDP requests into to at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's kdc.conf file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server. The default port for the admin server is 749.
If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88. Additionally, if they will need to get to any Kerberos V4 KDCs, you may also need to allow TCP and UDP requests to port 750. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749.
If any of your KDCs is outside your firewall, you will need to allow
kprop requests to get through to the remote KDC. Kprop
uses the krb5_prop service on port 754 (tcp).
If you need your off-site users to have access to machines inside your
firewall, you need to allow TCP connections from their off-site hosts on
the appropriate ports for the programs they will be using. The
following lines from /etc/services show the default port numbers
for the Kerberos V5 programs:
ftp 21/tcp # Kerberos ftp and telnet use the telnet 23/tcp # default ports kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp cmd # and remote shell kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw krb5_prop 754/tcp # Kerberos slave propagation eklogin 2105/tcp # Kerberos auth. & encrypted rlogin krb524 4444/tcp # Kerberos 5 to 4 ticket translator
By default, Kerberos V5 telnet and ftp use the same
ports as the standard telnet and ftp programs, so if you
already allow telnet and ftp connections through your firewall, the
Kerberos V5 versions will get through as well. If you do not
already allow telnet and ftp connections through your firewall, but need
your users to be able to use Kerberos V5 telnet and ftp, you can
either allow ftp and telnet connections on the standard ports, or switch
these programs to non-default port numbers and allow ftp and telnet
connections on those ports to get through.
Kerberos V5 rlogin uses the klogin service, which by
default uses port 543. Encrypted Kerberos V5 rlogin uses uses the
eklogin service, which by default uses port 2105.
Kerberos V5 rsh uses the kshell service, which by
default uses port 544. However, the server must be able to make a TCP
connection from the kshell port to an arbitrary port on the client, so
if your users are to be able to use rsh from outside your
firewall, the server they connect to must be able to send outgoing
packets to arbitrary port numbers. Similarly, if your users need to run
rsh from inside your firewall to hosts outside your firewall, the
outside server needs to be able to connect to an arbitrary port on the
machine inside your firewall. Because Kerberos V5 rcp uses
rsh, the same issues apply. If you need to use rsh (or
rcp) through your firewall and are concerned with the security
implications of allowing connections to arbitrary ports, MIT
suggests that you have rules that specifically name these applications
and, if possible, list the allowed hosts.
A reasonably good cookbook for configuring firewalls is available by FTP
from
ftp.livingston.com, in the location:
/pub/firewall/firewall-1.1.ps.Z. The book UNIX System
Security, by David Curry, is also a good starting point.
When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See section Adding Principals to Keytabs.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's root password.
As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the slave KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the master KDC, the corrupted database would be propagated to all of the slaves during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the master KDC is continuously dumping the database to a file in order to propagate it to the slave KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the master KDC. (See section Restoring a Kerberos Database from a Dump File.)
In any complex software, there will be bugs. If you have successfully
built and installed Kerberos V5, please use the
krb5-send-pr program to fill out a Problem Report.
Bug reports that include proposed fixes are especially welcome. If you do include fixes, please send them using either context diffs or unified diffs (using `diff -c' or `diff -u', respectively). Please be careful when using "cut and paste" or other such means to copy a patch into a bug report; depending on the system being used, that can result in converting TAB characters into spaces, which makes applying the patches more difficult.
The krb5-send-pr program is installed in the directory
/usr/local/sbin.
The krb5-send-pr program enters the problem report into our
Problem Report Management System (PRMS), which automatically assigns it
to the engineer best able to help you with problems in the assigned
category.
The krb5-send-pr program will try to intelligently fill in as
many fields as it can. You need to choose the category,
class, severity, and priority of the problem, as well
as giving us as much information as you can about its exact nature.
The PR category will be one of:
krb5-admin krb5-appl krb5-build krb5-clients krb5-doc krb5-kdc krb5-libs krb5-misc pty telnet test
Choose the category that best describes the area under which your problem falls.
The class can be sw-bug, doc-bug, change-request, or support. The first two are exactly as their names imply. Use change-request when the software is behaving according to specifications, but you want to request changes in some feature or behavior. The support class is intended for more general questions about building or using Kerberos V5.
The severity of the problem indicates the problem's impact on the usability of Kerberos V5. If a problem is critical, that means the product, component or concept is completely non-operational, or some essential functionality is missing, and no workaround is known. A serious problem is one in which the product, component or concept is not working properly or significant functionality is missing. Problems that would otherwise be considered critical are rated serious when a workaround is known. A non-critical problem is one that is indeed a problem, but one that is having a minimal effect on your ability to use Kerberos V5. E.g., The product, component or concept is working in general, but lacks features, has irritating behavior, does something wrong, or doesn't match its documentation. The default severity is serious.
The priority indicates how urgent this particular problem is in relation to your work. Note that low priority does not imply low importance. A priority of high means a solution is needed as soon as possible. A priority of medium means the problem should be solved no later than the next release. A priority of low means the problem should be solved in a future release, but it is not important to your work how soon this happens. The default priority is medium.
Note that a given severity does not necessarily imply a given priority. For example, a non-critical problem might still have a high priority if you are faced with a hard deadline. Conversely, a serious problem might have a low priority if the feature it is disabling is one that you do not need.
It is important that you fill in the release field and tell us what changes you have made, if any.
Bug reports that include proposed fixes are especially welcome. If you include proposed fixes, please send them using either context diffs (`diff -c') or unified diffs (`diff -u').
@vfill
A sample filled-out form from a company named "Toasters, Inc." might look like this:
To: krb5-bugs@mit.edu
Subject: misspelled "Kerberos" in title of installation guide
From: jcb
Reply-To: jcb
Cc:
X-send-pr-version: 3.99
>Submitter-Id: mit
>Originator: Jeffrey C. Gilman Bigler
>Organization:
mit
>Confidential: no
>Synopsis: Misspelled "Kerberos" in title of installation guide
>Severity: non-critical
>Priority: low
>Category: krb5-doc
>Class: doc-bug
>Release: 1.0-development
>Environment:
<machine, os, target, libraries (multiple lines)>
System: ULTRIX imbrium 4.2 0 RISC
Machine: mips
>Description:
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
>How-To-Repeat:
N/A
>Fix:
Correct the spelling.
@vfill
If the krb5-send-pr program does not work for you, or if you did
not get far enough in the process to have an installed and working
krb5-send-pr, you can generate your own form, using the above as
an example.
This is the Kerberos v5 library error code table. Protocol error codes
are
ERROR_TABLE_BASE_krb5 + the protocol error code number; other
error codes start at ERROR_TABLE_BASE_krb5 + 128.
This is the Kerberos v5 database library error code table.
This is the Kerberos v5 magic numbers error code table.
Generic GSSAPI Errors:
Kerberos 5 GSSAPI Errors:
This is a complete listing of the time zones recognized by the
kadmin command.
This document was generated on 8 April 2003 using texi2html 1.56k.