3
<title>Kerberos V5 Installation Guide</title>
4
<meta http-equiv="Content-Type" content="text/html">
5
<meta name="description" content="Kerberos V5 Installation Guide">
6
<meta name="generator" content="makeinfo 4.5">
7
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
12
Node:<a name="Create%20the%20Database">Create the Database</a>,
13
Next:<a rel="next" accesskey="n" href="Add-Administrators-to-the-Acl-File.html#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>,
14
Previous:<a rel="previous" accesskey="p" href="kdc.conf.html#kdc.conf">kdc.conf</a>,
15
Up:<a rel="up" accesskey="u" href="Install-the-Master-KDC.html#Install%20the%20Master%20KDC">Install the Master KDC</a>
19
<h5 class="subsubsection">Create the Database</h5>
21
<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to
22
create the Kerberos database and the optional stash file. The
23
<dfn>stash file</dfn> is a local copy of the master key that resides in
24
encrypted form on the KDC's local disk. The stash file is used to
25
authenticate the KDC to itself automatically before starting the
26
<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the
27
machine's boot sequence). The stash file, like the keytab file
28
(see See <a href="The-Keytab-File.html#The%20Keytab%20File">The Keytab File</a>, for more information) is a potential
29
point-of-entry for a break-in,
30
and if compromised, would allow unrestricted access to the Kerberos
31
database. If you choose to install a stash file, it should be readable
32
only by root, and should exist only on the KDC's local disk. The file
33
should not be part of any backup of the machine, unless access to the
34
backup data is secured as tightly as access to the master password
37
<p>Note that <code>kdb5_util</code> will prompt you for the master key for the
38
Kerberos database. This key can be any string. A good key is one you
39
can remember, but that no one else can guess. Examples of bad keys are
40
words that can be found in a dictionary, any common or popular name,
41
especially a famous person (or cartoon character), your username in any
42
form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of
43
the sample keys that appear in this manual. One example of a key which
44
might be good if it did not appear in this manual is "MITiys4K5!",
45
which represents the sentence "MIT is your source for Kerberos 5!"
46
(It's the first letter of each word, substituting the numeral "4" for
47
the word "for", and includes the punctuation mark at the end.)
49
<p>The following is an example of how to create a Kerberos database and
50
stash file on the master KDC, using the <code>kdb5_util</code> command. (The
51
line that begins with => is a continuation of the previous line.)
52
Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.
54
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
55
<b>Initializing database '/usr/local/var/krb5kdc/principal' for
56
=> realm 'ATHENA.MIT.EDU',
57
master key name 'K/M@ATHENA.MIT.EDU'
58
You will be prompted for the database Master Password.
59
It is important that you NOT FORGET this password.</b>
60
<b>Enter KDC database master key:</b> <i><= Type the master password.</i>
61
<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>
65
<p>This will create five files in the directory specified in your
66
<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,
67
and <code>principal.ok</code>; the Kerberos administrative database file,
68
<code>principal.kadm5</code>; the administrative database lock file,
69
<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The
70
default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not
71
want a stash file, run the above command without the <code>-s</code> option.