1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Application servers — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.12.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
<link rel="up" title="For administrators" href="index.html" />
<link rel="next" title="Host configuration" href="host_config.html" />
<link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
accesskey="P">previous</a> |
<a href="host_config.html" title="Host configuration"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="application-servers">
<h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1>
<p>If you need to install the Kerberos V5 programs on an application
server, please refer to the Kerberos V5 Installation Guide. Once you
have installed the software, you need to add that host to the Kerberos
database (see <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>), and generate a keytab for
that host, that contains the host’s key. You also need to make sure
the host’s clock is within your maximum clock skew of the KDCs.</p>
<div class="section" id="keytabs">
<h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2>
<p>A keytab is a host’s copy of its own keylist, which is analogous to a
user’s password. An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key. Just as it is important for users to protect their
passwords, it is equally important for hosts to protect their keytabs.
You should always store keytab files on local disk, and make them
readable only by root, and you should never send a keytab file over a
network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>
command to extract a keytab on the host on which the keytab is to
reside.</p>
<div class="section" id="adding-principals-to-keytabs">
<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3>
<p>To generate a keytab, or to add a principal to an existing keytab, use
the <strong>ktadd</strong> command from kadmin.</p>
</div>
<div class="section" id="ktadd">
<h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3>
<blockquote>
<div><div class="line-block">
<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div>
<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div>
</div>
</div></blockquote>
<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a
keytab file. Each principal’s keys are randomized in the process.
The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong>
command.</p>
<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges.
With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p>
<p>The options are:</p>
<dl class="docutils">
<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is
used.</dd>
<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
<dd>Uses the specified keysalt list for setting the new keys of the
principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
list of possible values.</dd>
<dt><strong>-q</strong></dt>
<dd>Display less verbose information.</dd>
<dt><strong>-norandkey</strong></dt>
<dd>Do not randomize the keys. The keys and their version numbers stay
unchanged. This option is only available in kadmin.local, and
cannot be specified in combination with the <strong>-e</strong> option.</dd>
</dl>
<p>An entry for each of the principal’s unique encryption types is added,
ignoring multiple keys with the same encryption type but different
salt types.</p>
<p>Example:</p>
<blockquote>
<div><div class="highlight-python"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
encryption type aes256-cts-hmac-sha1-96 added to keytab
FILE:/tmp/foo-new-keytab
kadmin:</pre>
</div>
</div></blockquote>
<div class="section" id="examples">
<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4>
<p>Here is a sample session, using configuration files that enable only
AES encryption:</p>
<div class="highlight-python"><pre>kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
kadmin:</pre>
</div>
</div>
</div>
<div class="section" id="removing-principals-from-keytabs">
<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3>
<p>To remove a principal from an existing keytab, use the kadmin
<strong>ktremove</strong> command.</p>
</div>
<div class="section" id="ktremove">
<h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3>
<blockquote>
<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote>
<p>Removes entries for the specified <em>principal</em> from a keytab. Requires
no permissions, since this does not require database access.</p>
<p>If the string “all” is specified, all entries for that principal are
removed; if the string “old” is specified, all entries for that
principal except those with the highest kvno are removed. Otherwise,
the value specified is parsed as an integer, and all entries whose
kvno match that integer are removed.</p>
<p>The options are:</p>
<dl class="docutils">
<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is
used.</dd>
<dt><strong>-q</strong></dt>
<dd>Display less verbose information.</dd>
</dl>
<p>Example:</p>
<blockquote>
<div><div class="highlight-python"><pre>kadmin: ktremove kadmin/admin all
Entry for principal kadmin/admin with kvno 3 removed from keytab
FILE:/etc/krb5.keytab
kadmin:</pre>
</div>
</div></blockquote>
</div>
</div>
<div class="section" id="clock-skew">
<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2>
<p>A Kerberos application server host must keep its clock synchronized or
it will reject authentication requests from clients. Modern operating
systems typically provide a facility to maintain the correct time;
make sure it is enabled. This is especially important on virtual
machines, where clocks tend to drift more rapidly than normal machine
clocks.</p>
<p>The default allowable clock skew is controlled by the <strong>clockskew</strong>
variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</p>
</div>
<div class="section" id="getting-dns-information-correct">
<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2>
<p>Several aspects of Kerberos rely on name service. When a hostname is
used to name a service, the Kerberos library canonicalizes the
hostname using forward and reverse name resolution. (The reverse name
resolution step can be turned off using the <strong>rdns</strong> variable in
<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.) The result of this canonicalization must match
the principal entry in the host’s keytab, or authentication will fail.</p>
<p>Each host’s canonical name must be the fully-qualified host name
(including the domain), and each host’s IP address must
reverse-resolve to the canonical name.</p>
<p>Configuration of hostnames varies by operating system. On the
application server itself, canonicalization will typically use the
<tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file rather than the DNS. Ensure that the line for the
server’s hostname is in the following form:</p>
<div class="highlight-python"><pre>IP address fully-qualified hostname aliases</pre>
</div>
<p>Here is a sample <tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file:</p>
<div class="highlight-python"><pre># this is a comment
127.0.0.1 localhost localhost.mit.edu
10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin</pre>
</div>
<p>The output of <tt class="docutils literal"><span class="pre">klist</span> <span class="pre">-k</span></tt> for this example host should look like:</p>
<div class="highlight-python"><pre>viola# klist -k
Keytab name: /etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------
2 host/daffodil.mit.edu@ATHENA.MIT.EDU</pre>
</div>
<p>If you were to ssh to this host with a fresh credentials cache (ticket
file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, the output should list a service
principal of <tt class="docutils literal"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></tt>.</p>
</div>
<div class="section" id="configuring-your-firewall-to-work-with-kerberos-v5">
<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2>
<p>If you need off-site users to be able to get Kerberos tickets in your
realm, they must be able to get to your KDC. This requires either
that you have a slave KDC outside your firewall, or that you configure
your firewall to allow UDP requests into at least one of your KDCs, on
whichever port the KDC is running. (The default is port 88; other
ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.)
Similarly, if you need off-site users to be able to change their
passwords in your realm, they must be able to get to your Kerberos
admin server on the kpasswd port (which defaults to 464). If you need
off-site users to be able to administer your Kerberos realm, they must
be able to get to your Kerberos admin server on the administrative
port (which defaults to 749).</p>
<p>If your on-site users inside your firewall will need to get to KDCs in
other realms, you will also need to configure your firewall to allow
outgoing TCP and UDP requests to port 88, and to port 464 to allow
password changes. If your on-site users inside your firewall will
need to get to Kerberos admin servers in other realms, you will also
need to allow outgoing TCP and UDP requests to port 749.</p>
<p>If any of your KDCs are outside your firewall, you will need to allow
kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> uses
the <tt class="docutils literal"><span class="pre">krb5_prop</span></tt> service on port 754 (tcp).</p>
<p>The book <em>UNIX System Security</em>, by David Curry, is a good starting
point for learning to configure firewalls.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Application servers</a><ul>
<li><a class="reference internal" href="#keytabs">Keytabs</a><ul>
<li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li>
<li><a class="reference internal" href="#ktadd">ktadd</a><ul>
<li><a class="reference internal" href="#examples">Examples</a></li>
</ul>
</li>
<li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li>
<li><a class="reference internal" href="#ktremove">ktremove</a></li>
</ul>
</li>
<li><a class="reference internal" href="#clock-skew">Clock Skew</a></li>
<li><a class="reference internal" href="#getting-dns-information-correct">Getting DNS information correct</a></li>
<li><a class="reference internal" href="#configuring-your-firewall-to-work-with-kerberos-v5">Configuring your firewall to work with Kerberos V5</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="">Application servers</a><ul class="simple">
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.12.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2013, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
>previous</a> |
<a href="host_config.html" title="Host configuration"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
