<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Application servers — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="../_static/kerb.css" />
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="next" title="Host configuration" href="host_config.html" />
<link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" />
</head><body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
accesskey="P">previous</a> |
<a href="host_config.html" title="Host configuration"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="application-servers">
<h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1>
<p>If you need to install the Kerberos V5 programs on an application
server, please refer to the Kerberos V5 Installation Guide. Once you
have installed the software, you need to add that host to the Kerberos
database (see <a class="reference internal" href="database.html#add-mod-del-princs"><span class="std std-ref">Adding, modifying and deleting principals</span></a>), and generate a keytab for
that host, that contains the host’s key. You also need to make sure
the host’s clock is within your maximum clock skew of the KDCs.</p>
<div class="section" id="keytabs">
<h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2>
<p>A keytab is a host’s copy of its own keylist, which is analogous to a
user’s password. An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key. Just as it is important for users to protect their
passwords, it is equally important for hosts to protect their keytabs.
You should always store keytab files on local disk, and make them
readable only by root, and you should never send a keytab file over a
network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>
command to extract a keytab on the host on which the keytab is to
reside.</p>
<div class="section" id="adding-principals-to-keytabs">
<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3>
<p>To generate a keytab, or to add a principal to an existing keytab, use
the <strong>ktadd</strong> command from kadmin.</p>
</div>
<div class="section" id="ktadd">
<h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3>
<blockquote>
<div><div class="line-block">
<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div>
<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div>
</div>
</div></blockquote>
<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a
keytab file. Each principal’s keys are randomized in the process.
The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong>
command.</p>
<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges.
With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p>
<p>The options are:</p>
<dl class="docutils">
<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is
used.</dd>
<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt>
<dd>Uses the specified keysalt list for setting the new keys of the
principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a
list of possible values.</dd>
<dt><strong>-q</strong></dt>
<dd>Display less verbose information.</dd>
<dt><strong>-norandkey</strong></dt>
<dd>Do not randomize the keys. The keys and their version numbers stay
unchanged. This option cannot be specified in combination with the
<strong>-e</strong> option.</dd>
</dl>
<p>An entry for each of the principal’s unique encryption types is added,
ignoring multiple keys with the same encryption type but different
salt types.</p>
<p>Example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span>
<span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span>
<span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span>
<span class="n">kadmin</span><span class="p">:</span>
</pre></div>
</div>
<div class="section" id="examples">
<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4>
<p>Here is a sample session, using configuration files that enable only
AES encryption:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span>
<span class="n">kadmin</span><span class="p">:</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="removing-principals-from-keytabs">
<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3>
<p>To remove a principal from an existing keytab, use the kadmin
<strong>ktremove</strong> command.</p>
</div>
<div class="section" id="ktremove">
<h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3>
<blockquote>
<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote>
<p>Removes entries for the specified <em>principal</em> from a keytab. Requires
no permissions, since this does not require database access.</p>
<p>If the string “all” is specified, all entries for that principal are
removed; if the string “old” is specified, all entries for that
principal except those with the highest kvno are removed. Otherwise,
the value specified is parsed as an integer, and all entries whose
kvno match that integer are removed.</p>
<p>The options are:</p>
<dl class="docutils">
<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is
used.</dd>
<dt><strong>-q</strong></dt>
<dd>Display less verbose information.</dd>
</dl>
<p>Example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="nb">all</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span>
<span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span>
<span class="n">kadmin</span><span class="p">:</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="clock-skew">
<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2>
<p>A Kerberos application server host must keep its clock synchronized or
it will reject authentication requests from clients. Modern operating
systems typically provide a facility to maintain the correct time;
make sure it is enabled. This is especially important on virtual
machines, where clocks tend to drift more rapidly than normal machine
clocks.</p>
<p>The default allowable clock skew is controlled by the <strong>clockskew</strong>
variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p>
</div>
<div class="section" id="getting-dns-information-correct">
<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2>
<p>Several aspects of Kerberos rely on name service. When a hostname is
used to name a service, the Kerberos library canonicalizes the
hostname using forward and reverse name resolution. (The reverse name
resolution step can be turned off using the <strong>rdns</strong> variable in
<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.) The result of this canonicalization must match
the principal entry in the host’s keytab, or authentication will fail.</p>
<p>Each host’s canonical name must be the fully-qualified host name
(including the domain), and each host’s IP address must
reverse-resolve to the canonical name.</p>
<p>Configuration of hostnames varies by operating system. On the
application server itself, canonicalization will typically use the
<code class="docutils literal notranslate"><span class="pre">/etc/hosts</span></code> file rather than the DNS. Ensure that the line for the
server’s hostname is in the following form:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">IP</span> <span class="n">address</span> <span class="n">fully</span><span class="o">-</span><span class="n">qualified</span> <span class="n">hostname</span> <span class="n">aliases</span>
</pre></div>
</div>
<p>Here is a sample <code class="docutils literal notranslate"><span class="pre">/etc/hosts</span></code> file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># this is a comment</span>
<span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="n">localhost</span> <span class="n">localhost</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
<span class="mf">10.0</span><span class="o">.</span><span class="mf">0.6</span> <span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">daffodil</span> <span class="n">trillium</span> <span class="n">wake</span><span class="o">-</span><span class="n">robin</span>
</pre></div>
</div>
<p>The output of <code class="docutils literal notranslate"><span class="pre">klist</span> <span class="pre">-k</span></code> for this example host should look like:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">viola</span><span class="c1"># klist -k</span>
<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span>
<span class="n">KVNO</span> <span class="n">Principal</span>
<span class="o">----</span> <span class="o">------------------------------------------------------------</span>
<span class="mi">2</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
</pre></div>
</div>
<p>If you were to ssh to this host with a fresh credentials cache (ticket
file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, the output should list a service
principal of <code class="docutils literal notranslate"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></code>.</p>
</div>
<div class="section" id="configuring-your-firewall-to-work-with-kerberos-v5">
<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2>
<p>If you need off-site users to be able to get Kerberos tickets in your
realm, they must be able to get to your KDC. This requires either
that you have a replica KDC outside your firewall, or that you
configure your firewall to allow UDP requests into at least one of
your KDCs, on whichever port the KDC is running. (The default is port
88; other ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>
file.) Similarly, if you need off-site users to be able to change
their passwords in your realm, they must be able to get to your
Kerberos admin server on the kpasswd port (which defaults to 464). If
you need off-site users to be able to administer your Kerberos realm,
they must be able to get to your Kerberos admin server on the
administrative port (which defaults to 749).</p>
<p>If your on-site users inside your firewall will need to get to KDCs in
other realms, you will also need to configure your firewall to allow
outgoing TCP and UDP requests to port 88, and to port 464 to allow
password changes. If your on-site users inside your firewall will
need to get to Kerberos admin servers in other realms, you will also
need to allow outgoing TCP and UDP requests to port 749.</p>
<p>If any of your KDCs are outside your firewall, you will need to allow
kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> uses
the <code class="docutils literal notranslate"><span class="pre">krb5_prop</span></code> service on port 754 (tcp).</p>
<p>The book <em>UNIX System Security</em>, by David Curry, is a good starting
point for learning to configure firewalls.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Application servers</a><ul>
<li><a class="reference internal" href="#keytabs">Keytabs</a><ul>
<li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li>
<li><a class="reference internal" href="#ktadd">ktadd</a><ul>
<li><a class="reference internal" href="#examples">Examples</a></li>
</ul>
</li>
<li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li>
<li><a class="reference internal" href="#ktremove">ktremove</a></li>
</ul>
</li>
<li><a class="reference internal" href="#clock-skew">Clock Skew</a></li>
<li><a class="reference internal" href="#getting-dns-information-correct">Getting DNS information correct</a></li>
<li><a class="reference internal" href="#configuring-your-firewall-to-work-with-kerberos-v5">Configuring your firewall to work with Kerberos V5</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Application servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.17</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2019, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
>previous</a> |
<a href="host_config.html" title="Host configuration"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
</div>
</div>
</div>
</body>
</html>
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-updates
>
by-pkgid
>
1bc48f41aa3133e7c600817581bc4c91
>
files
>
79
