1
This is krb5-install.info, produced by makeinfo version 4.5 from
4
Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
5
INFO-DIR-SECTION Kerberos
7
* krb5-install: (krb5-install). Kerberos V5 Installation Guide
11
File: krb5-install.info, Node: Mac OS X Configuration, Prev: Client Machine Configuration Files, Up: Client Machine Configuration Files
13
Mac OS X Configuration
14
......................
16
To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
17
directions for generic Unix-based OS's, except for the `/etc/services'
18
updates described above.
20
Mac OS X and Mac OS X Server use a database called NetInfo to store the
21
contents of files normally found in `/etc'. Instead of modifying
22
`/etc/services', you should run the following commands to add the
23
Kerberos service entries to NetInfo:
25
$ niutil -create . /services/kerberos
26
$ niutil -createprop . /services/kerberos name kerberos kdc
27
$ niutil -createprop . /services/kerberos port 750
28
$ niutil -createprop . /services/kerberos protocol tcp udp
29
$ niutil -create . /services/krbupdate
30
$ niutil -createprop . /services/krbupdate name krbupdate kreg
31
$ niutil -createprop . /services/krbupdate port 760
32
$ niutil -createprop . /services/krbupdate protocol tcp
33
$ niutil -create . /services/kpasswd
34
$ niutil -createprop . /services/kpasswd name kpasswd kpwd
35
$ niutil -createprop . /services/kpasswd port 761
36
$ niutil -createprop . /services/kpasswd protocol tcp
37
$ niutil -create . /services/klogin
38
$ niutil -createprop . /services/klogin port 543
39
$ niutil -createprop . /services/klogin protocol tcp
40
$ niutil -create . /services/eklogin
41
$ niutil -createprop . /services/eklogin port 2105
42
$ niutil -createprop . /services/eklogin protocol tcp
43
$ niutil -create . /services/kshell
44
$ niutil -createprop . /services/kshell name kshell krcmd
45
$ niutil -createprop . /services/kshell port 544
46
$ niutil -createprop . /services/kshell protocol tcp
48
In addition to adding services to NetInfo, you must also modify the
49
resolver configuration in NetInfo so that the machine resolves its own
50
hostname as a FQDN (fully qualified domain name). By default, Mac OS X
51
and Mac OS X Server machines query NetInfo to resolve hostnames before
52
falling back to DNS. Because NetInfo has an unqualified name for all
53
the machines in the NetInfo database, the machine's own hostname will
54
resolve to an unqualified name. Kerberos needs a FQDN to look up keys
55
in the machine's keytab file.
57
Fortunately, you can change the `lookupd' caching order to query DNS
58
first. Run the following NetInfo commands and reboot the machine:
60
$ niutil -create . /locations/lookupd/hosts
61
$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
64
Once you have rebooted, you can verify that the resolver now behaves
65
correctly. Compile the Kerberos 5 distribution and run:
67
$ cd .../src/tests/resolve
70
This will tell you whether or not your machine returns FQDNs on name
71
lookups. If the test still fails, you can also try turning off DNS
72
caching. Run the following commands and reboot:
74
$ niutil -create . /locations/lookupd/hosts
75
$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
76
CacheAgent NIAgent NILAgent
78
The remainder of the setup of a Mac OS X client machine or application
79
server should be the same as for other UNIX-based systems.
82
File: krb5-install.info, Node: UNIX Application Servers, Prev: Installing and Configuring UNIX Client Machines, Up: Installing Kerberos V5
84
UNIX Application Servers
85
========================
87
An application server is a host that provides one or more services over
88
the network. Application servers can be "secure" or "insecure." A
89
"secure" host is set up to require authentication from every client
90
connecting to it. An "insecure" host will still provide Kerberos
91
authentication, but will also allow unauthenticated clients to connect.
93
If you have Kerberos V5 installed on all of your client machines,
94
MIT recommends that you make your hosts secure, to take advantage of
95
the security that Kerberos authentication affords. However, if you
96
have some clients that do not have Kerberos V5 installed, you can run
97
an insecure server, and still take advantage of Kerberos V5's single
103
* Some Advice about Secure Hosts::
106
File: krb5-install.info, Node: The Keytab File, Next: Some Advice about Secure Hosts, Prev: UNIX Application Servers, Up: UNIX Application Servers
111
All Kerberos server machines need a "keytab" file, called
112
`/etc/krb5.keytab', to authenticate to the KDC. The keytab file is an
113
encrypted, local, on-disk copy of the host's key. The keytab file,
114
like the stash file (*Note Create the Database::) is a potential
115
point-of-entry for a break-in, and if compromised, would allow
116
unrestricted access to its host. The keytab file should be readable
117
only by root, and should exist only on the machine's local disk. The
118
file should not be part of any backup of the machine, unless access to
119
the backup data is secured as tightly as access to the machine's root
122
In order to generate a keytab for a host, the host must have a principal
123
in the Kerberos database. The procedure for adding hosts to the
124
database is described fully in the "Adding or Modifying Principals"
125
section of the `Kerberos V5 System Administrator's Guide'. *Note
126
Create Host Keys for the Slave KDCs::. for a brief description.) The
127
keytab is generated by running `kadmin' and issuing the `ktadd' command.
129
For example, to generate a keytab file to allow the host
130
trillium.mit.edu to authenticate for the services `host', `ftp', and
131
`pop', the administrator `joeadmin' would issue the command (on
134
trillium% /usr/local/sbin/kadmin
135
kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
136
=> pop/trillium.mit.edu
137
kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
138
kvno 3, encryption type DES-CBC-CRC added to keytab
139
WRFILE:/etc/krb5.keytab.
140
kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
141
kvno 3, encryption type DES-CBC-CRC added to keytab
142
WRFILE:/etc/krb5.keytab.
143
kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
144
kvno 3, encryption type DES-CBC-CRC added to keytab
145
WRFILE:/etc/krb5.keytab.
149
If you generate the keytab file on another host, you need to get a copy
150
of the keytab file onto the destination host (`trillium', in the above
151
example) without sending it unencrypted over the network.
154
File: krb5-install.info, Node: Some Advice about Secure Hosts, Prev: The Keytab File, Up: UNIX Application Servers
156
Some Advice about Secure Hosts
157
------------------------------
159
Kerberos V5 can protect your host from certain types of break-ins, but
160
it is possible to install Kerberos V5 and still leave your host
161
vulnerable to attack. Obviously an installation guide is not the place
162
to try to include an exhaustive list of countermeasures for every
163
possible attack, but it is worth noting some of the larger holes and how
166
We recommend that backups of secure machines exclude the keytab file
167
(`/etc/krb5.keytab'). If this is not possible, the backups should at
168
least be done locally, rather than over a network, and the backup tapes
169
should be physically secured.
171
The keytab file and any programs run by root, including the Kerberos V5
172
binaries, should be kept on local disk. The keytab file should be
173
readable only by root.
176
File: krb5-install.info, Node: Upgrading Existing Kerberos V5 Installations, Next: Bug Reports for Kerberos V5, Prev: Installing Kerberos V5, Up: Top
178
Upgrading Existing Kerberos V5 Installations
179
********************************************
181
If you already have an existing Kerberos database that you created with
182
a prior release of Kerberos 5, you can upgrade it to work with the
183
current release with the `kdb5_util' command. It is only necessary to
184
perform this dump/undump procedure if you were running a krb5-1.0.x KDC
185
and are migrating to a krb5-1.1.x or newer KDC or if you were running a
186
krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer KDC. The
187
process for upgrading a Master KDC involves the following steps:
189
1. Stop your current KDC and administration server processes, if any.
191
2. Dump your existing Kerberos database to an ASCII file with
192
`kdb5_util''s "dump" command:
194
shell% cd /usr/local/var/krb5kdc
195
shell% kdb5_util dump old-kdb-dump
196
shell% kdb5_util dump -ov old-kdb-dump.ov
199
3. Create a new Master KDC installation (*Note Install the Master
200
KDC::.). If you have a stash file for your current database,
201
choose any new master password but then copy your existing stash
202
file to the location specified by your kdc.conf; if you do not
203
have a stash file for your current database, you must choose the
204
same master password.
206
4. Load your old Kerberos database into the new system with
207
`kdb5_util''s "load" command:
209
shell% cd /usr/local/var/krb5kdc
210
shell% kdb5_util load old-kdb-dump
211
shell% kdb5_util load -update old-kdb-dump.ov
215
The "dump -ov" and "load -update" commands are necessary in order to
216
preserve per-principal policy information, since the default dump format
217
filters out that information. If you omit those steps, the loaded
218
database database will lose the policy information for each principal
221
To update a Slave KDC, you must stop the old server processes on the
222
Slave KDC, install the new server binaries, reload the most recent slave
223
dump file, and re-start the server processes.
227
* Upgrading to Triple-DES and RC4 Encryption Keys::
230
File: krb5-install.info, Node: Upgrading to Triple-DES and RC4 Encryption Keys, Prev: Upgrading Existing Kerberos V5 Installations, Up: Upgrading Existing Kerberos V5 Installations
232
Upgrading to Triple-DES Encryption Keys
233
=======================================
235
Beginning with the 1.2 release from MIT, Kerberos includes a stronger
236
encryption algorithm called "triple DES" - essentially, three
237
applications of the basic DES encryption algorithm, greatly increasing
238
the resistance to a brute-force search for the key by an attacker.
239
This algorithm is more secure, but encryption is much slower.
241
Release 1.1 had some support for triple-DES service keys, but with
242
release 1.2 we have added support for user keys and session keys as
243
well. Release 1.0 had very little support for multiple cryptosystems,
244
and some of that software may not function properly in an environment
245
using triple-DES as well as plain DES.
247
In the 1.3 release from MIT, Kerberos also includes the RC4 encryption
248
alogorithm, a stream cipher symmetric key algorithm developed in 1987
249
by Ronald Rivest at RSA Data Security. Please note that RC4 is not
250
part of the IETF standard.
252
Because of the way the MIT Kerberos database is structured, the KDC
253
will assume that a service supports only those encryption types for
254
which keys are found in the database. Thus, if a service has only a
255
single-DES key in the database, the KDC will not issue tickets for that
256
service that use triple-DES or RC4 session keys; it will instead issue
257
only single-DES session keys, even if other services are already
258
capable of using triple-DES or RC4. So if you make sure your
259
application server software is updated before adding a triple-DES or
260
RC4 key for the service, clients should be able to talk to services at
261
all times during the updating process.
263
Normally, the listed `supported_enctypes' in `kdc.conf' are all used
264
when a new key is generated. You can control this with command-line
265
flags to `kadmin' and `kadmin.local'. You may want to exclude
266
triple-DES and RC4 by default until you have updated a lot of your
267
application servers, and then change the default to include triple-DES
268
and RC4. We recommend that you always include `des-cbc-crc' in the
272
File: krb5-install.info, Node: Bug Reports for Kerberos V5, Next: Copyright, Prev: Upgrading Existing Kerberos V5 Installations, Up: Top
274
Bug Reports for Kerberos V5
275
***************************
277
In any complex software, there will be bugs. If you have successfully
278
built and installed Kerberos V5, please use the `krb5-send-pr' program
279
to fill out a Problem Report should you encounter any errors in our
282
Bug reports that include proposed fixes are especially welcome. If you
283
do include fixes, please send them using either context diffs or unified
284
diffs (using `diff -c' or `diff -u', respectively). Please be careful
285
when using "cut and paste" or other such means to copy a patch into a
286
bug report; depending on the system being used, that can result in
287
converting TAB characters into spaces, which makes applying the patches
290
The `krb5-send-pr' program is installed in the directory
293
The `krb5-send-pr' program enters the problem report into our Problem
294
Report Management System (PRMS), which automatically assigns it to the
295
engineer best able to help you with problems in the assigned category.
297
The `krb5-send-pr' program will try to intelligently fill in as many
298
fields as it can. You need to choose the "category", "class",
299
"severity", and "priority" of the problem, as well as giving us as much
300
information as you can about its exact nature.
302
The PR category will be one of:
304
krb5-admin krb5-appl krb5-build krb5-clients
305
krb5-doc krb5-kdc krb5-libs krb5-misc
308
Choose the category that best describes the area under which your
311
The class can be "sw-bug", "doc-bug", "change-request", or "support".
312
The first two are exactly as their names imply. Use change-request
313
when the software is behaving according to specifications, but you want
314
to request changes in some feature or behavior. The support class is
315
intended for more general questions about building or using Kerberos V5.
317
The severity of the problem indicates the problem's impact on the
318
usability of Kerberos V5. If a problem is "critical", that means the
319
product, component or concept is completely non-operational, or some
320
essential functionality is missing, and no workaround is known. A
321
"serious" problem is one in which the product, component or concept is
322
not working properly or significant functionality is missing. Problems
323
that would otherwise be considered critical are rated serious when a
324
workaround is known. A "non-critical" problem is one that is indeed a
325
problem, but one that is having a minimal effect on your ability to use
326
Kerberos V5. E.g., The product, component or concept is working in
327
general, but lacks features, has irritating behavior, does something
328
wrong, or doesn't match its documentation. The default severity is
331
The priority indicates how urgent this particular problem is in
332
relation to your work. Note that low priority does not imply low
333
importance. A priority of "high" means a solution is needed as soon as
334
possible. A priority of "medium" means the problem should be solved no
335
later than the next release. A priority of "low" means the problem
336
should be solved in a future release, but it is not important to your
337
work how soon this happens. The default priority is medium.
339
Note that a given severity does not necessarily imply a given priority.
340
For example, a non-critical problem might still have a high priority if
341
you are faced with a hard deadline. Conversely, a serious problem might
342
have a low priority if the feature it is disabling is one that you do
345
It is important that you fill in the release field and tell us what
346
changes you have made, if any.
348
A sample filled-out form from a company named "Toasters, Inc." might
351
To: krb5-bugs@mit.edu
352
Subject: misspelled "Kerberos" in title of installation guide
356
X-send-pr-version: 3.99
360
>Originator: Jeffrey C. Gilman Bigler
364
>Synopsis: Misspelled "Kerberos" in title of installation guide
365
>Severity: non-critical
369
>Release: 1.0-development
371
<machine, os, target, libraries (multiple lines)>
372
System: ULTRIX imbrium 4.2 0 RISC
375
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
379
Correct the spelling.
381
If the `krb5-send-pr' program does not work for you, or if you did not
382
get far enough in the process to have an installed and working
383
`krb5-send-pr', you can generate your own form, using the above as an