File: README.KDC

package info (click to toggle)
krb5 1.4.4-7etch1
  • links: PTS
  • area: main
  • in suites: etch-m68k
  • size: 49,200 kB
  • ctags: 25,837
  • sloc: ansic: 270,278; exp: 21,157; makefile: 10,635; sh: 6,403; yacc: 2,515; perl: 1,925; cpp: 743; awk: 449; python: 379; asm: 248; lex: 190; sed: 172; csh: 147
file content (44 lines) | stat: -rw-r--r-- 2,574 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
                     Running a Debian Kerberos Realm

You will want to install the krb5-kdc and krb5-admin-server on your master
KDC and at least krb5-kdc on any slave KDCs you have.  You may wish to
install krb5-admin-server on slaves in case you need them to become the
master KDC in a hurry, but in this case you may want to configure
krb5-admin-server to not start unless started manually.  Otherwise,
clients may change their password on a slave server, a change that will
then be overwritten silently later and may cause user confusion.  (This
can only happen if the client is misconfigured to use a slave server as
the admin server, but sometimes this happens.)

krb5-kdc adds a commented-out line for kpropd to /etc/inetd.conf.  You
will want to uncomment this on slave KDCs so that they can receive updates
from the master, but leave it commented out on the master.

You should look at the KDC configuration file (/etc/krb5kdc/kdc.conf) and
adjust the parameters appropriately.  If you expect to be using a lot of
Kerberos4 services, you should either remove +preauth from the default
principal flags or select full krb4 support when prompted by debconf.
(You can run dpkg-reconfigure on krb5-kdc to see this prompt again.)  If
you remove +preauth from the flags, principals will by default not require
preauthentication.  This is less secure since it opens you to offline
dictionary attacks, but this level of security is what people have been
suffering with throughout the lifetime of Kerberos4.  You can turn on
requires_preauth for specific high-security principals in kadmin.  If you
simply select full krb4 support, then Kerberos5 clients will require
preauthentication, but all principals will be accepted for Kerberos4.
This has a similar vulnerability to dictionary attacks and cannot be
overridden by setting requires_preauth selectively.

By default principals are created with both DES and 3DES keys.  This means
that if you ever decide at some point in the future that you no longer
have any DES services, you can get the full security benefits of 3DES by
dropping it from supported_enctypes in /etc/krb5kdc/kdc.conf and from
permitted_enctypes in /etc/krb5.conf.  Note however, that for some
services, like AFS and Zephyr, you may need to only create single DES
keys.  You might do this by for example:

    kadmin.local -e des-cbc-crc:normal -q "ktadd afs/ATHENA.MIT.EDU"

You will probably want to create /etc/krb5kdc/kadm5.acl to include a list
of users who are authorized to run kadmin in your realm.  The kadmind
documentation provides examples.