<HTML>
<HEAD>
<!-- Created by texi2html 1.56k from install.texinfo on 28 February 2001 -->
<TITLE>Kerberos V5 Installation Guide</TITLE>
</HEAD>
<BODY>
<H1>Kerberos V5 Installation Guide</H1>
<H2>Release: 1.2</H2>
<H2>Document Edition: 1.1</H2>
<H2>Last updated: @today</H2>
<ADDRESS>MIT</ADDRESS>
<P>
<P><HR><P>
<H1><A NAME="SEC1" HREF="install_toc.html#TOC1">Copyright</A></H1>
<P>
Copyright (C) 1985-2000 by the Massachusetts Institute of Technology.
<BLOCKQUOTE>
<P>
Export of software employing encryption from the United States of
America may require a specific license from the United States
Government. It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
</BLOCKQUOTE>
<P>
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
this software and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of M.I.T. not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission. Furthermore if you
modify this software you must label your software as modified software
and not distribute it in such a fashion that it might be confused with
the original MIT software. M.I.T. makes no representations about the
suitability of this software for any purpose. It is provided "as is"
without express or implied warranty.
<P>
@hrule
<P>
The following copyright and permission notice applies to the OpenVision
Kerberos Administration system located in kadmin/create, kadmin/dbutil,
kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:
<BLOCKQUOTE>
<P>
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system source
code, as described below, indicates your acceptance of the following
terms. If you do not agree to the following terms, do not retrieve the
OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source Code is
provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT
LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,
LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS
AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE
OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
ANY OTHER REASON.
<P>
OpenVision retains all copyrights in the donated Source Code. OpenVision
also retains copyright to derivative works of the Source Code, whether
created by OpenVision or by a third party. The OpenVision copyright
notice must be preserved if derivative works are made based on the
donated Source Code.
OpenVision Technologies, Inc. has donated this Kerberos Administration
system to MIT for inclusion in the standard Kerberos 5 distribution.
This donation underscores our commitment to continuing Kerberos
technology development and our gratitude for the valuable work which has
been performed by MIT and the Kerberos community.
</BLOCKQUOTE>
<P>
@hrule
<P>
Kerberos V5 includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:
<P>
Copyright (C) 1983 Regents of the University of California.<BR>
All rights reserved.
<P>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
<OL>
<LI>
Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<LI>
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<LI>
All advertising materials mentioning features or use of this software
must display the following acknowledgement:
<BLOCKQUOTE>
<P>
This product includes software developed by the University of
California, Berkeley and its contributors.
</BLOCKQUOTE>
<LI>
Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
</OL>
<P>
@hrule
<P>
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notices and this permission notice are
preserved on all copies.
<P>
Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided also that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
<P>
Permission is granted to copy and distribute translations of this manual
into another language, under the above conditions for modified versions.
@pagealignmacro
<H1><A NAME="SEC2" HREF="install_toc.html#TOC2">Introduction</A></H1>
<H2><A NAME="SEC3" HREF="install_toc.html#TOC3">What is Kerberos and How Does it Work?</A></H2>
<P>
Kerberos V5 is based on the Kerberos authentication system developed
at MIT. Under Kerberos, a client (generally either a user or a service)
sends a request for a ticket to the Key Distribution Center (KDC). The
KDC creates a <EM>ticket-granting ticket</EM> (TGT) for the client,
encrypts it using the client's password as the key, and sends the
encrypted TGT back to the client. The client then attempts to decrypt
the TGT, using its password. If the client successfully decrypts the
TGT (<I>i.e.</I>, if the client gave the correct password), it keeps the
decrypted TGT, which indicates proof of the client's identity.
<P>
The TGT, which expires at a specified time, permits the client to obtain
additional tickets, which give permission for specific services. The
requesting and granting of these additional tickets is user-transparent.
<H2><A NAME="SEC4" HREF="install_toc.html#TOC4">Why Should I use Kerberos?</A></H2>
<P>
Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the Internet, it provides
a layer of security that is not dependent on which side of a firewall
either client is on. Since studies have shown that half of the computer
security breaches in industry happen from <I>inside</I> firewalls,
Kerberos V5 from MIT will play a vital role in the
security of your network.
<P>
This document is one piece of the document set for Kerberos V5. The
documents, and their intended audiences, are:
<UL>
<LI>
<B>Kerberos V5 Installation Guide</B>: a concise guide for installing
Kerberos V5. Kerberos administrators (particularly whoever will be
making site-wide decisions about the installation) and the system
administrators who will be installing the software should read this
guide.
<LI>
<B>Kerberos V5 System Administrator's Guide</B>: a sysadmin's guide to
administering a Kerberos installation. The System Administrator's Guide
describes the administration software and suggests policies and
procedures for administering a Kerberos installation. Anyone who will
have administrative access to your Kerberos database should read this
guide.
<LI>
<B>Kerberos V5 UNIX User's Guide</B>: a guide to using the Kerberos
UNIX client programs. All users on UNIX systems should read this guide,
particularly the "Tutorial" section.
</UL>
<H2><A NAME="SEC5" HREF="install_toc.html#TOC5">Please Read the Documentation</A></H2>
<P>
As with any software package that uses a centrallized database, the
installation procedure is somewhat involved, and requires forethought
and planning. MIT has attempted to make this
Kerberos V5 Installation Guide as concise as possible, rather than
making it an exhaustive description of the details of Kerberos.
Consequently, everything in this guide appears because MIT
believes that it is important. Please read and follow these
instructions carefully.
<H2><A NAME="SEC6" HREF="install_toc.html#TOC6">Overview of This Guide</A></H2>
<P>
The next chapter describes the decisions you need to make before
installing Kerberos V5.
<P>
Chapter four describes installation procedures for each class of
Kerberos machines:
<OL>
<LI>
Key Distribution Centers (KDCs).
<OL>
<LI>
The Master KDC.
<LI>
Slave KDCs.
</OL>
<LI>
UNIX client machines
<LI>
UNIX application server machines
</OL>
<P>
Note that a machine can be both a client machine and an application
server.
<P>
Chapter five describes procedure for updating previous installations of
Kerberos V5.
<P>
Chapter six describes our problem reporting system.
<P>
The appendices give sample configuration files.
<H1><A NAME="SEC7" HREF="install_toc.html#TOC7">Realm Configuration Decisions</A></H1>
<P>
Before installing Kerberos V5, it is necessary to consider the
following issues:
<UL>
<LI>
The name of your Kerberos realm (or the name of each realm, if you need
more than one).
<LI>
How you will map your hostnames onto Kerberos realms.
<LI>
Which ports your KDC and and kadmin (database access) services will use.
<LI>
How many slave KDCs you need and where they should be located.
<LI>
The hostnames of your master and slave KDCs.
<LI>
How frequently you will propagate the database from the master KDC to
the slave KDCs.
<LI>
Whether you need backward compatibility with Kerberos V4.
</UL>
<H2><A NAME="SEC8" HREF="install_toc.html#TOC8">Kerberos Realms</A></H2>
<P>
Although your Kerberos realm can be any ASCII string, convention is to
make it the same as your domain name, in upper-case letters. For
example, hosts in the domain fubar.org would be in the
Kerberos realm FUBAR.ORG.
<P>
If you need multiple Kerberos realms, MIT recommends that
you use descriptive names which end with your domain name, such as
BOSTON.FUBAR.ORG and HOUSTON.FUBAR.ORG.
<H2><A NAME="SEC9" HREF="install_toc.html#TOC9">Mapping Hostnames onto Kerberos Realms</A></H2>
<P>
Mapping hostnames onto Kerberos realms is done in one of two ways.
<P>
The first mechanism, which has been in use for years in MIT-based
Kerberos distributions, works through a set of rules in
the <CODE>krb5.conf</CODE> configuration file. (See section <A HREF="install.html#SEC72">krb5.conf</A>.) You can
specify mappings for an entire domain or subdomain, and/or on a
hostname-by-hostname basis. Since greater specificity takes precedence,
you would do this by specifying the mappings for a given domain or
subdomain and listing the exceptions.
<P>
The Kerberos V5 System Administrator's Guide contains a thorough
description of the parts of the <CODE>krb5.conf</CODE> file and what may be
specified in each. A sample <CODE>krb5.conf</CODE> file appears in
section <A HREF="install.html#SEC72">krb5.conf</A>. You should be able to use this file, substituting the
relevant information for your Kerberos installation for the samples.
<P>
The second mechanism, recently introduced into the MIT code base but not
currently used by default, works by looking up the information in
special <CODE>TXT</CODE> records in the Domain Name Service. If this
mechanism is enabled on the client, it will try to look up a <CODE>TXT</CODE>
record for the DNS name formed by putting the prefix <CODE>_kerberos</CODE> in
front of the hostname in question. If that record is not found, it will
try using <CODE>_kerberos</CODE> and the host's domain name, then its parent
domain, and so forth. So for the hostname
BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
<PRE>
_kerberos.boston.engineering.foobar.com
_kerberos.engineering.foobar.com
_kerberos.foobar.com
_kerberos.com
</PRE>
<P>
The value of the first TXT record found is taken as the realm name.
(Obviously, this doesn't work all that well if a host and a subdomain
have the same name, and different realms. For example, if all the hosts
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
another realm. In that case, you would set up TXT records for all
hosts, rather than relying on the fallback to the domain name.)
<P>
Even if you do not choose to use this mechanism within your site, you
may wish to set up anyways, for use when interacting with other sites.
<H2><A NAME="SEC10" HREF="install_toc.html#TOC10">Ports for the KDC and Admin Services</A></H2>
<P>
The default ports used by Kerberos are port 88 for the
KDC<A NAME="DOCF1" HREF="install_foot.html#FOOT1">(1)</A> and port 749 for the admin
server. You can, however, choose to run on other ports, as long as they
are specified in each host's <CODE>/etc/services</CODE> and <CODE>krb5.conf</CODE>
files, and the <CODE>kdc.conf</CODE> file on each KDC. For a more thorough
treatment of port numbers used by the Kerberos V5 programs, refer to
the "Configuring Your Firewall to Work With Kerberos V5" section
of the <CITE>Kerberos V5 System Administrator's Guide</CITE>.
<H2><A NAME="SEC11" HREF="install_toc.html#TOC11">Slave KDCs</A></H2>
<P>
Slave KDCs provide an additional source of Kerberos ticket-granting
services in the event of inaccessibility of the master KDC. The number
of slave KDCs you need and the decision of where to place them, both
physically and logically, depends on the specifics of your network.
<P>
All of the Kerberos authentication on your network requires that each
client be able to contact a KDC. Therefore, you need to anticipate any
likely reason a KDC might be unavailable and have a slave KDC to take up
the slack.
<P>
Some considerations include:
<UL>
<LI>
Have at least one slave KDC as a backup, for when the master KDC is
down, is being upgraded, or is otherwise unavailable.
<LI>
If your network is split such that a network outage is likely to cause a
network partition (some segment or segments of the network to become cut
off or isolated from other segments), have a slave KDC accessible to
each segment.
<LI>
If possible, have at least one slave KDC in a different building from
the master, in case of power outages, fires, or other localized
disasters.
</UL>
<H2><A NAME="SEC12" HREF="install_toc.html#TOC12">Hostnames for the Master and Slave KDCs</A></H2>
<P>
MIT recommends that your KDCs have a predefined set of
CNAME records (DNS hostname aliases), such as <CODE>kerberos</CODE>
for the master KDC and
<CODE>kerberos-1</CODE>, <CODE>kerberos-2</CODE>, ... for the
slave KDCs. This way, if you need to swap a machine, you only need to
change a DNS entry, rather than having to change hostnames.
<P>
A new mechanism for locating KDCs of a realm through DNS has been added
to the MIT Kerberos V5 distribution. A relatively new
record type called <CODE>SRV</CODE> has been added to DNS. Looked up by a
service name and a domain name, these records indicate the hostname and
port number to contact for that service, optionally with weighting and
prioritization. (See RFC 2782 if you want more information. You can
follow the example below for straightforward cases.)
<P>
The use with Kerberos is fairly straightforward. The domain name used
in the SRV record name is the domain-style Kerberos realm name. (It is
possible to have Kerberos realm names that are not DNS-style names, but
we don't recommend it for Internet use, and our code does not support it
well.) Several different Kerberos-related service names are used:
<DL COMPACT>
<DT><CODE>_kerberos._udp</CODE>
<DD>
This is for contacting any KDC. This entry will be used the most often.
Normally you should list ports 88 and 750 on each of your KDCs.
<DT><CODE>_kerberos-master._udp</CODE>
<DD>
This entry should refer to those KDCs, if any, that will immediately see
password changes to the Kerberos database. This entry is used only in
one case, when the user is logging in and the password appears to be
incorrect; the master KDC is then contacted, and the same password used
to try to decrypt the response, in case the user's password had recently
been changed and the first KDC contacted hadn't been updated. Only if
that fails is an "incorrect password" error given.
If you have only one KDC, or for whatever reason there is no accessible
KDC that would get database changes faster than the others, you do not
need to define this entry.
<DT><CODE>_kerberos-adm._tcp</CODE>
<DD>
This should list port 749 on your master KDC. Support for it is not
complete at this time, but it will eventually be used by the
<CODE>kadmin</CODE> program and related utilities. For now, you will also
need the <CODE>admin_server</CODE> entry in <CODE>krb5.conf</CODE>.
<DT><CODE>_kpasswd._udp</CODE>
<DD>
This should list port 464 on your master KDC. It is used when a user
changes her password.
</DL>
<P>
Be aware, however, that the DNS SRV specification requires that the
hostnames listed be the canonical names, not aliases. So, for example,
you might include the following records in your (BIND-style) zone file:
<PRE>
$ORIGIN foobar.com.
_kerberos TXT "FOOBAR.COM"
kerberos CNAME daisy
kerberos-1 CNAME use-the-force-luke
kerberos-2 CNAME bunny-rabbit
_kerberos._udp SRV 0 0 88 daisy
SRV 0 0 88 use-the-force-luke
SRV 0 0 88 bunny-rabbit
_kerberos-master._udp SRV 0 0 88 daisy
_kerberos-adm._tcp SRV 0 0 749 daisy
_kpasswd._udp SRV 0 0 464 daisy
</PRE>
<P>
As with the DNS-based mechanism for determining the Kerberos realm of a
host, we recommend distributing the information this way for use by
other sites that may want to interact with yours using Kerberos, even if
you don't immediately make use of it within your own site. If you
anticipate installing a very large number of machines on which it will
be hard to update the Kerberos configuration files, you may wish to do
all of your Kerberos service lookups via DNS and not put the information
(except for <CODE>admin_server</CODE> as noted above) in future versions of
your <CODE>krb5.conf</CODE> files at all. Eventually, we hope to phase out
the listing of server hostnames in the client-side configuration files;
making preparations now will make the transition easier in the future.
<H2><A NAME="SEC13" HREF="install_toc.html#TOC13">Database Propagation</A></H2>
<P>
The Kerberos database resides on the master KDC, and must be propagated
regularly (usually by a cron job) to the slave KDCs. In deciding how
frequently the propagation should happen, you will need to balance the
amount of time the propagation takes against the maximum reasonable
amount of time a user should have to wait for a password change to take
effect.
<P>
If the propagation time is longer than this maximum reasonable time
(<I>e.g.,</I> you have a particularly large database, you have a lot of
slaves, or you experience frequent network delays), you may wish to
cut down on your propagation delay by performing the propagation in
parallel. To do this, have the master KDC propagate the database to one
set of slaves, and then have each of these slaves propagate the database
to additional slaves.
<H1><A NAME="SEC14" HREF="install_toc.html#TOC14">Building Kerberos V5</A></H1>
<P>
Starting with the Beta 4 distribution, we are using a new configuration
system, which was built using the Free Software Foundation's
<SAMP>`autoconf'</SAMP> program. This system will hopefully make Kerberos V5
much simpler to build and reduce the amount of effort required in
porting Kerberos V5 to a new platform.
<H2><A NAME="SEC15" HREF="install_toc.html#TOC15">Build Requirements</A></H2>
<P>
In order to build Kerberos V5, you will need approximately 60-70
megabytes of disk space. The exact amount will vary depending on the
platform and whether the distribution is compiled with debugging symbol
tables or not.
<P>
If you wish to keep a separate <EM>build tree</EM>, which contains the compiled
<TT>`*.o'</TT> file and executables, separate from your source tree, you
will need a <SAMP>`make'</SAMP> program which supports <SAMP>`VPATH'</SAMP>, or
you will need to use a tool such as <SAMP>`lndir'</SAMP> to produce a symbolic
link tree for your build tree.
<H2><A NAME="SEC16" HREF="install_toc.html#TOC16">Unpacking the Sources</A></H2>
<P>
The first step in each of these build procedures is to unpack the source
distribution. The Kerberos V5 distribution comes in two compressed tar
files. The first file, which is generally named
<TT>`krb5-1.2.src.tar.gz'</TT>, contains the sources for all of Kerberos
except for the crypto library, which is found in the file
<TT>`krb5-1.2.crypto.tar.gz'</TT>.
<P>
Both files should be unpacked in the same directory, such as
<TT>`/u1/krb5-1.2'</TT>. (In the rest of this document, we will assume that
you have chosen to unpack the Kerberos V5 source distribution in this
directory. Note that the tarfiles will by default all unpack into the
<TT>`./krb5-1.2'</TT> directory, so that if your current directory is
<TT>`/u1'</TT> when you unpack the tarfiles, you will get
<TT>`/u1/krb5-1.2/src'</TT>, etc.)
<H2><A NAME="SEC17" HREF="install_toc.html#TOC17">Doing the Build</A></H2>
<P>
You have a number of different options in how to build Kerberos. If you
only need to build Kerberos for one platform, using a single directory
tree which contains both the source files and the object files is the
simplest. However, if you need to maintain Kerberos for a large number
of platforms, you will probably want to use separate build trees for
each platform. We recommend that you look at section <A HREF="install.html#SEC27">Operating System Incompatibilities</A>, for notes that we have on particular operating
systems.
<H3><A NAME="SEC18" HREF="install_toc.html#TOC18">Building Within a Single Tree</A></H3>
<P>
If you don't want separate build trees for each architecture, then
use the following abbreviated procedure.
<OL>
<LI>
<CODE>cd /u1/krb5-1.2/src</CODE>
<LI>
<CODE>./configure</CODE>
<LI>
<CODE>make</CODE>
</OL>
<P>
That's it!
<H3><A NAME="SEC19" HREF="install_toc.html#TOC19">Building with Separate Build Directories</A></H3>
<P>
If you wish to keep separate build directories for each platform, you
can do so using the following procedure. (Note, this requires that your
<SAMP>`make'</SAMP> program support <SAMP>`VPATH'</SAMP>. GNU's make will provide this
functionality, for example.) If your <SAMP>`make'</SAMP> program does not
support this, see the next section.
<P>
For example, if you wish to create a build directory for <CODE>pmax</CODE> binaries
you might use the following procedure:
<OL>
<LI>
<CODE>mkdir /u1/krb5-1.2/pmax</CODE>
<LI>
<CODE>cd /u1/krb5-1.2/pmax</CODE>
<LI>
<CODE>../src/configure</CODE>
<LI>
<CODE>make</CODE>
</OL>
<H3><A NAME="SEC20" HREF="install_toc.html#TOC20">Building Using <SAMP>`lndir'</SAMP></A></H3>
<P>
If you wish to keep separate build directories for each platform, and
you do not have access to a <SAMP>`make'</SAMP> program which supports <SAMP>`VPATH'</SAMP>,
all is not lost. You can use the <SAMP>`lndir'</SAMP> program to create
symbolic link trees in your build directory.
<P>
For example, if you wish to create a build directory for solaris binaries
you might use the following procedure:
<OL>
<LI>
<CODE>mkdir /u1/krb5-1.2/solaris</CODE>
<LI>
<CODE>cd /u1/krb5-1.2/solaris</CODE>
<LI>
<CODE>/u1/krb5-1.2/src/util/lndir `pwd`/../src</CODE>
<LI>
<CODE>./configure</CODE>
<LI>
<CODE>make</CODE>
</OL>
<P>
You must give an absolute pathname to <SAMP>`lndir'</SAMP> because it has a bug that
makes it fail for relative pathnames. Note that this version differs
from the latest version as distributed and installed by the XConsortium
with X11R6. Either version should be acceptable.
<H2><A NAME="SEC21" HREF="install_toc.html#TOC21">Testing the Build</A></H2>
<P>
The Kerberos V5 distribution comes with built-in regression tests. To
run them, simply type the following command while in the top-level build
directory (i.e., the directory where you sent typed <SAMP>`make'</SAMP> to start
building Kerberos; see section <A HREF="install.html#SEC17">Doing the Build</A>.):
<PRE>
% make check
</PRE>
<H3><A NAME="SEC22" HREF="install_toc.html#TOC22">The DejaGnu Tests</A></H3>
<P>
Some of the built-in regression tests are setup to use the DejaGnu
framework for running tests. These tests tend to be more comprehensive
than the normal built-in tests as they setup test servers and test
client/server activities.
<P>
DejaGnu may be found wherever GNU software is archived.
<P>
Most of the tests are setup to run as a non-privledged user. For some
of the krb-root tests to work properly, either (a) the user running the
tests must not have a .k5login file in the home directory or (b) the
.k5login file must contain an entry for <CODE><username>@KRBTEST.COM</CODE>.
There are two series of tests (<SAMP>`rlogind'</SAMP> and <SAMP>`telnetd'</SAMP>) which
require the ability to <SAMP>`rlogin'</SAMP> as root to the local
machine. Admittedly, this does require the use of a <TT>`.rhosts'</TT> file
or some authenticated means. <A NAME="DOCF2" HREF="install_foot.html#FOOT2">(2)</A>
<P>
If you cannot obtain root access to your machine, all the other tests
will still run. Note however, with DejaGnu 1.2, the "untested testcases"
will cause the testsuite to exit with a non-zero exit status which
<SAMP>`make'</SAMP> will consider a failure of the testing process. Do not worry
about this, as these tests are the last run when <SAMP>`make check'</SAMP> is
executed from the top level of the build tree. This problem does not
exist with DejaGnu 1.3.
<H3><A NAME="SEC23" HREF="install_toc.html#TOC23">The KADM5 Tests</A></H3>
<P>
Regression tests for the KADM5 system, including the GSS-RPC, KADM5
client and server libraries, and kpasswd, are also included in this
release. Each set of KADM5 tests is contained in a sub-directory called
<CODE>unit-test</CODE> directly below the system being tested. For example,
lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
based on DejaGnu (but they are not actually called part of "The DejaGnu
tests," whose naming predates the inclusion of the KADM5 system). In
addition, they require the Tool Command Language (TCL) header files and
libraries to be available during compilation and some of the tests also
require Perl in order to operate. If all of these resources are not
available during configuration, the KADM5 tests will not run. The TCL
installation directory can be specified with the <CODE>--with-tcl</CODE>
configure option. (See See section <A HREF="install.html#SEC24">Options to Configure</A>.) The runtest and
perl programs must be in the current execution path.
<P>
If you install DejaGnu, TCL, or Perl after configuring and building
Kerberos and then want to run the KADM5 tests, you will need to
re-configure the tree and run <CODE>make</CODE> at the top level again to make
sure all the proper programs are built. To save time, you actually only
need to reconfigure and build in the directories src/kadmin/testing,
src/lib/rpc, src/lib/kadm5.
<H2><A NAME="SEC24" HREF="install_toc.html#TOC24">Options to Configure</A></H2>
<P>
There are a number of options to <SAMP>`configure'</SAMP> which you can use to
control how the Kerberos distribution is built. The following table
lists the most commonly used options to Kerberos V5's <SAMP>`configure'</SAMP>
program.
<DL COMPACT>
<DT><CODE>--help</CODE>
<DD>
Provides help to configure. This will list the set of commonly used
options for building Kerberos.
<DT><CODE>--prefix=PREFIX</CODE>
<DD>
By default, Kerberos will install the package's files rooted at
`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
desire a different location, use this option.
<DT><CODE>--exec-prefix=EXECPREFIX</CODE>
<DD>
This option allows one to separate the architecture independent programs
from the configuration files and manual pages.
<DT><CODE>--localstatedir=LOCALSTATEDIR</CODE>
<DD>
This option sets the directory for locally modifiable single-machine
data. In Kerberos, this mostly is useful for setting a location for the
KDC data files, as they will be installed in
<CODE>LOCALSTATEDIR/krb5kdc</CODE>, which is by default
<CODE>PREFIX/var/krb5kdc</CODE>.
<DT><CODE>--with-cc=COMPILER</CODE>
<DD>
Use <CODE>COMPILER</CODE> as the C compiler.
<DT><CODE>--with-ccopts=FLAGS</CODE>
<DD>
Use <CODE>FLAGS</CODE> as the default set of C compiler flags.
Note that if you use the native Ultrix compiler on a
DECstation you are likely to lose if you pass no flags to cc; md4.c
takes an estimated 3,469 billion years to compile if you provide neither
the <SAMP>`-g'</SAMP> flag nor the <SAMP>`-O'</SAMP> flag to <SAMP>`cc'</SAMP>.
<DT><CODE>--with-cppopts=CPPOPTS</CODE>
<DD>
Use <CODE>CPPOPTS</CODE> as the default set of C preprocessor flags. The most
common use of this option is to select certain <CODE>#define</CODE>'s for use
with the operating system's include files.
<DT><CODE>--with-linker=LINKER</CODE>
<DD>
Use <CODE>LINKER</CODE> as the default loader if it should be different from C
compiler as specified above.
<DT><CODE>--with-ldopts=LDOPTS</CODE>
<DD>
This option allows one to specify optional arguments to be passed to the
linker. This might be used to specify optional library paths.
<DT><CODE>--with-krb4</CODE>
<DD>
This option enables Kerberos V4 backwards compatibility using the
builtin Kerberos V4 library.
<DT><CODE>--with-krb4=KRB4DIR</CODE>
<DD>
This option enables Kerberos V4 backwards compatibility using a
pre-existing Kerberos V4 installation. The directory specified by
<CODE>KRB4DIR</CODE> specifies where the V4 header files should be found
(<TT>`KRB4DIR/include'</TT>) as well as where the V4 Kerberos library should
be found (<TT>`KRB4DIR/lib'</TT>).
<DT><CODE>--without-krb4</CODE>
<DD>
Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
clients from using the V5 services including the KDC. This would be
useful if you know you will never install or need to interact with V4
clients.
<DT><CODE>--with-netlib[=libs]</CODE>
<DD>
Allows for suppression of or replacement of network libraries. By
default, Kerberos V5 configuration will look for <CODE>-lnsl</CODE> and
<CODE>-lsocket</CODE>. If your operating system has a broken resolver library
(see section <A HREF="install.html#SEC33">Solaris versions 2.0 through 2.3</A>) or fails to pass the tests in
<TT>`src/tests/resolv'</TT> you will need to use this option.
<DT><CODE>--with-vague-errors</CODE>
<DD>
If enabled, gives vague and unhelpful error messages to the client... er,
attacker. (Needed to meet silly government regulations; most other
sites will want to keep this undefined.)
<DT><CODE>--with-kdc-kdb-update</CODE>
<DD>
Set this option if you want to allow the KDC to modify the Kerberos
database; this allows the last request information to be updated, as
well as the failure count information. Note that this doesn't work if
you're using slave servers!!! It also causes the database to be
modified (and thus needing to be locked) frequently. Please note that
the implementors do not regularly test this feature.
<DT><CODE>--with-tcl=TCLPATH</CODE>
<DD>
Some of the unit-tests in the build tree rely upon using a program in
Tcl. The directory specified by <CODE>TCLPATH</CODE> specifies where the Tcl
header file (<TT>`TCLPATH/include/tcl.h'</TT> as well as where the Tcl
library should be found (<TT>`TCLPATH/lib'</TT>).
<DT><CODE>--enable-shared</CODE>
<DD>
This option will turn on the building and use of shared library objects
in the Kerberos build. This option is only supported on certain
platforms.
<DT><CODE>--enable-dns</CODE>
<DD>
<DT><CODE>--enable-dns-for-kdc</CODE>
<DD>
<DT><CODE>--enable-dns-for-realm</CODE>
<DD>
Enable the use of DNS to look up a host's Kerberos realm, or a realm's
KDCs, if the information is not provided in krb5.conf. See
See section <A HREF="install.html#SEC12">Hostnames for the Master and Slave KDCs</A>, and See section <A HREF="install.html#SEC9">Mapping Hostnames onto Kerberos Realms</A>. By default, DNS lookups are enabled
for the latter but not for the former.
<DT><CODE>--enable-kdc-replay-cache</CODE>
<DD>
Enable a cache in the KDC to detect retransmitted messages, and resend
the previous responses to them. This protects against certain types of
attempts to extract information from the KDC through some of the
hardware preauthentication systems.
</DL>
<P>
For example, in order to configure Kerberos on a Solaris machine using
the <SAMP>`suncc'</SAMP> compiler with the optimizer turned on, run the configure
script with the following options:
<PRE>
% ./configure --with-cc=suncc --with-ccopts=-O
</PRE>
<H2><A NAME="SEC25" HREF="install_toc.html#TOC25"><TT>`osconf.h'</TT></A></H2>
<P>
There is one configuration file which you may wish to edit to control
various compile-time parameters in the Kerberos distribution:
<TT>`include/krb5/stock/osconf.h'</TT>. The list that follows is by no means
complete, just some of the more interesting variables.
<P>
Please note: The former configuration file <TT>`config.h'</TT> no longer
exists as its functionality has been merged into the auto-configuration
process. See section <A HREF="install.html#SEC24">Options to Configure</A>.
<DL COMPACT>
<DT><CODE>DEFAULT_PROFILE_PATH</CODE>
<DD>
The pathname to the file which contains the profiles for the known
realms, their KDCs, etc.
The profile file format is no longer the same format as Kerberos V4's
<TT>`krb.conf'</TT> file.
<DT><CODE>DEFAULT_KEYTAB_NAME</CODE>
<DD>
The type and pathname to the default server keytab file (the equivalent
of Kerberos V4's <TT>`/etc/srvtab'</TT>).
<DT><CODE>DEFAULT_KDC_ENCTYPE</CODE>
<DD>
The default encryption type for the KDC.
<DT><CODE>KDCRCACHE</CODE>
<DD>
The name of the replay cache used by the KDC.
<DT><CODE>RCTMPDIR</CODE>
<DD>
The directory which stores replay caches.
<DT><CODE>DEFAULT_KDB_FILE</CODE>
<DD>
The location of the default database
</DL>
<H2><A NAME="SEC26" HREF="install_toc.html#TOC26">Shared Library Support</A></H2>
<P>
Shared library support is provided for a few operating systems. There
are restrictions as to which compiler to use when using shared
libraries. In all cases, executables linked with the shared libraries in
this build process will have built in the location of the libraries,
therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
variables when using the programs. Except where noted, multiple versions
of the libraries may be installed on the same system and continue to
work.
<P>
Currently the supported platforms are Solaris 2.6 (aka SunOS 5.6) and Irix 6.5.
<P>
Shared library support has been tested on the following platforms but
not exhaustively (they have been built but not necessarily tested in an
installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, NetBSD
1.4.x (i386), and HP/UX 10.20.
<P>
Platforms for which there is shared library support but not significant
testing include FreeBSD, OpenBSD, MacOS 10, AIX, Linux, and SunOS 4.x.
<P>
To enable shared libraries on the above platforms, run the configure
script with the option <SAMP>`--enable-shared'</SAMP>.
<H2><A NAME="SEC27" HREF="install_toc.html#TOC27">Operating System Incompatibilities</A></H2>
<P>
This section details operating system incompatibilities with Kerberos V5
which have been reported to the developers at MIT. If you find
additional incompatibilities, and/or discover work arounds to such
problems, please send a report via the <CODE>krb5-send-pr</CODE> program.
Thanks!
<H3><A NAME="SEC28" HREF="install_toc.html#TOC28">AIX</A></H3>
<P>
The AIX 3.2.5 linker dumps core trying to build a shared
<SAMP>`libkrb5.a'</SAMP> produced with the GNU C compiler. The native AIX
compiler works fine. This problem is fixed using the AIX 4.1 linker.
<H3><A NAME="SEC29" HREF="install_toc.html#TOC29">Alpha OSF/1 V1.3</A></H3>
<P>
Using the native compiler, compiling with the <SAMP>`-O'</SAMP> compiler flag
causes the <CODE>asn.1</CODE> library to be compiled incorrectly.
<P>
Using GCC version 2.6.3 or later instead of the native compiler will also work
fine, both with or without optimization.
<H3><A NAME="SEC30" HREF="install_toc.html#TOC30">Alpha OSF/1 V2.0++</A></H3>
<P>
There used to be a bug when using the native compiler in compiling
<TT>`md4.c'</TT> when compiled without either the <SAMP>`-O'</SAMP> or <SAMP>`-g'</SAMP>
compiler options. We have changed the code and there is no problem
under V2.1, but we do not have access to V2.0 to test and see if the
problem would exist there. (We welcome feedback on this issue). There
was never a problem in using GCC version 2.6.3.
<P>
In version 3.2 and beyond of the operating system, we have not seen any
problems with the native compiler.
<H3><A NAME="SEC31" HREF="install_toc.html#TOC31">BSDI</A></H3>
<P>
BSDI versions 1.0 and 1.1 reportedly has a bad <SAMP>`sed'</SAMP> which causes
it to go into an infinite loop during the build. The work around is
to use a <SAMP>`sed'</SAMP> from somewhere else, such as GNU. (This may be
true for some versions of other systems derived from BSD 4.4, such as
NetBSD and FreeBSD.)
<H3><A NAME="SEC32" HREF="install_toc.html#TOC32">HPUX</A></H3>
<P>
The native (bundled) compiler for HPUX currently will not work, because
it is not a full ANSI C compiler. The optional compiler (c89) should
work as long as you give it the <SAMP>`-D_HPUX_SOURCE'</SAMP> flag
(i.e. <SAMP>`./configure --with-cc='c89 -D_HPUX_SOURCE''</SAMP>). This has only
been tested recently for HPUX 10.20.
<H3><A NAME="SEC33" HREF="install_toc.html#TOC33">Solaris versions 2.0 through 2.3</A></H3>
<P>
The <CODE>gethostbyname()</CODE> routine is broken; it does not return a fully
qualified domain name, even if you are using the Domain Name Service
routines. Since Kerberos V5 uses the fully qualified domain name as the
second component of a service principal (i.e,
<SAMP>`host/tsx-11.mit.edu@ATHENA.MIT.EDU'</SAMP>), this causes problems for servers
who try to figure out their own fully qualified domain name.
<P>
Workarounds:
<OL>
<LI>
Supply your own resolver library. (such as bind-4.9.3pl1 available
from ftp.vix.com)
<LI>
Upgrade to Solaris 2.4
<LI>
Make sure your /etc/nsswitch.conf has `files' before `dns' like:
<PRE>
hosts: files dns
</PRE>
and then in /etc/hosts, make sure there is a line with your
workstation's IP address and hostname, with the fully qualified domain
name first. Example:
<PRE>
18.172.1.4 dcl.mit.edu dcl
</PRE>
Note that making this change may cause other programs in your
environment to break or behave differently.
</OL>
<H3><A NAME="SEC34" HREF="install_toc.html#TOC34">Solaris 2.X</A></H3>
<P>
You <B>must</B> compile Kerberos V5 without the UCB compatibility
libraries. This means that <TT>`/usr/ucblib'</TT> must not be in the
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
you can use the <CODE>-i</CODE> option to <SAMP>`cc'</SAMP>, by using the specifying
<CODE>--with-ccopts=-i</CODE> option to <SAMP>`configure'</SAMP>.
<H3><A NAME="SEC35" HREF="install_toc.html#TOC35">SGI Irix 5.X</A></H3>
<P>
If you are building in a tree separate from the source tree, the vendors
version of make does not work properly with regards to
<SAMP>`VPATH'</SAMP>. It also has problems with standard inference rules in 5.2
(not tested yet in 5.3) so one needs to use GNU's make.
<P>
Under 5.2, there is a bug in the optional System V <CODE>-lsocket</CODE>
library in which the routine <CODE>gethostbyname()</CODE> is broken. The
system supplied version in <CODE>-lc</CODE> appears to work though so one may
simply specify <CODE>--with-netlib</CODE> option to <SAMP>`configure'</SAMP>.
<P>
In 5.3, <CODE>gethostbyname()</CODE> is no longer present in <CODE>-lsocket</CODE> and
is no longer an issue.
<H3><A NAME="SEC36" HREF="install_toc.html#TOC36">Ultrix 4.2/3</A></H3>
<P>
The DEC MIPS platform currently will not support the native compiler,
since the Ultrix compiler is not a full ANSI C compiler. You should use
GCC instead.
<H2><A NAME="SEC37" HREF="install_toc.html#TOC37">Using <SAMP>`Autoconf'</SAMP></A></H2>
<P>
(If you are not a developer, you can skip this section.)
<P>
In most of the Kerberos V5 source directories, there is a
<TT>`configure'</TT> script which automatically determines the compilation
environment and creates the proper Makefiles for a particular platform.
These <TT>`configure'</TT> files are generated using <SAMP>`autoconf'</SAMP> version
2.4, which can be found in the <TT>`src/util/autoconf'</TT> directory in the
distribution.
<P>
Normal users will not need to worry about running <SAMP>`autoconf'</SAMP>; the
distribution comes with the <TT>`configure'</TT> files already prebuilt.
Developers who wish to modify the <TT>`configure.in'</TT> files should see
section `Overview' in <CITE>The Autoconf Manual</CITE>.
<P>
Note that in order to run <SAMP>`autoconf'</SAMP>, you must have GNU <SAMP>`m4'</SAMP>
in your path. Before you use the <SAMP>`autoconf'</SAMP> in the Kerberos V5
source tree, you may also need to run <SAMP>`configure'</SAMP>, and then run
<SAMP>`make'</SAMP> in the <TT>`src/util/autoconf'</TT> directory in order to
properly set up <SAMP>`autoconf'</SAMP>.
<P>
One tool which is provided for the convenience of developers can be
found in <TT>`src/util/reconf'</TT>. This program should be run while the
current directory is the top source directory. It will automatically
rebuild any <TT>`configure'</TT> files which need rebuilding. If you know
that you have made a change that will require that all the
<TT>`configure'</TT> files need to be rebuilt from scratch, specify the
<CODE>--force</CODE> option:
<PRE>
% cd /u1/krb5-1.2/src
% ./util/reconf --force
</PRE>
<P>
The developmental sources are a raw source tree (before it's been packaged
for public release), without the pre-built <TT>`configure'</TT> files.
In order to build from such a source tree, you must do:
<PRE>
% cd krb5/util/autoconf
% ./configure
% make
% cd ../..
% util/reconf
</PRE>
<P>
Then follow the instructions for building packaged source trees (above).
To install the binaries into a binary tree, do:
<PRE>
% cd /u1/krb5-1.2/src
% make all
% make install DESTDIR=somewhere-else
</PRE>
<H1><A NAME="SEC38" HREF="install_toc.html#TOC38">Installing Kerberos V5</A></H1>
<P>
The sections of this chapter describe procedures for installing
Kerberos V5 on:
<OL>
<LI>
The KDCs
<LI>
UNIX client machines
<LI>
UNIX Application Servers
</OL>
<H2><A NAME="SEC39" HREF="install_toc.html#TOC39">Installing KDCs</A></H2>
<P>
The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
contains a copy of the Kerberos database. The master KDC contains the
master copy of the database, which it propagates to the slave KDCs at
regular intervals. All database changes (such as password changes) are
made on the master KDC.
<P>
Slave KDCs provide Kerberos ticket-granting services, but not database
administration. This allows clients to continue to obtain tickets when
the master KDC is unavailable.
<P>
MIT recommends that you install all of your KDCs to be able
to function as either the master or one of the slaves. This will enable
you to easily switch your master KDC with one of the slaves if
necessary. (See section <A HREF="install.html#SEC58">Switching Master and Slave KDCs</A>.) This installation
procedure is based on that recommendation.
<H3><A NAME="SEC40" HREF="install_toc.html#TOC40">Install the Master KDC</A></H3>
<P>
This installation procedure will require you to go back and forth a
couple of times between the master KDC and each of the slave KDCs. The
first few steps must be done on the master KDC.
<H4><A NAME="SEC41" HREF="install_toc.html#TOC41">Edit the Configuration Files</A></H4>
<P>
Modify the configuration files, <CODE>/etc/krb5.conf</CODE>
(see section <A HREF="install.html#SEC72">krb5.conf</A>) and <CODE>/usr/local/var/krb5kdc/kdc.conf</CODE>
(see section <A HREF="install.html#SEC73">kdc.conf</A>) to reflect the correct information (such as the
hostnames and realm name) for your realm. MIT recommends
that you keep <CODE>krb5.conf</CODE> in <CODE>/etc</CODE>.
<P>
Among the settings in your <CODE>/etc/krb5.conf</CODE> file, be sure to create
a <CODE>[logging]</CODE> stanza so that the KDC and kadmind will generate
logging output. For example:
<PRE>
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
</PRE>
<H4><A NAME="SEC42" HREF="install_toc.html#TOC42">Create the Database</A></H4>
<P>
You will use the <CODE>kdb5_util</CODE> command <EM>on the Master KDC</EM> to
create the Kerberos database and the optional stash file. The
<EM>stash file</EM> is a local copy of the master key that resides in
encrypted form on the KDC's local disk. The stash file is used to
authenticate the KDC to itself automatically before starting the
<CODE>kadmind</CODE> and <CODE>krb5kdc</CODE> daemons (<I>e.g.,</I> as part of the
machine's boot sequence). The stash file, like the keytab file
(see See section <A HREF="install.html#SEC66">The Keytab File</A>, for more information) is a potential
point-of-entry for a break-in,
and if compromised, would allow unrestricted access to the Kerberos
database. If you choose to install a stash file, it should be readable
only by root, and should exist only on the KDC's local disk. The file
should not be part of any backup of the machine, unless access to the
backup data is secured as tightly as access to the master password
itself.
<P>
Note that <CODE>kdb5_util</CODE> will prompt you for the master key for the
Kerberos database. This key can be any string. A good key is one you
can remember, but that no one else can guess. Examples of bad keys are
words that can be found in a dictionary, any common or popular name,
especially a famous person (or cartoon character), your username in any
form (<I>e.g.</I>, forward, backward, repeated twice, <I>etc.</I>), and any of
the sample keys that appear in this manual. One example of a key which
might be good if it did not appear in this manual is "MITiys4K5!",
which represents the sentence "MIT is your source for Kerberos 5!"
(It's the first letter of each word, substituting the numeral "4" for
the word "for", and includes the punctuation mark at the end.)
<P>
The following is an example of how to create a Kerberos database and
stash file on the master KDC, using the <CODE>kdb5_util</CODE> command. (The
line that begins with => is a continuation of the previous line.)
Replace <I>ATHENA.MIT.EDU</I> with the name of your Kerberos realm.
<PRE>
<B>shell%</B> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
<B>Initializing database '/usr/local/var/krb5kdc/principal' for
=> realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.</B>
<B>Enter KDC database master key:</B> <I>@doubleleftarrow{</I> Type the master password.}
<B>Re-enter KDC database master key to verify:</B> <I>@doubleleftarrow{</I> Type it again.}
<B>shell%</B>
</PRE>
<P>
This will create five files in the directory specified in your
<CODE>kdc.conf</CODE> file: two Kerberos database files, <CODE>principal.db</CODE>,
and <CODE>principal.ok</CODE>; the Kerberos administrative database file,
<CODE>principal.kadm5</CODE>; the administrative database lock file,
<CODE>principal.kadm5.lock</CODE>; and the stash file, <CODE>.k5stash</CODE>. (The
default directory is <CODE>/usr/local/var/krb5kdc</CODE>.) If you do not
want a stash file, run the above command without the <CODE>-s</CODE> option.
<H4><A NAME="SEC43" HREF="install_toc.html#TOC43">Add Administrators to the Acl File</A></H4>
<P>
Next, you need create an Access Control List (acl) file, and put the
Kerberos principal of at least one of the administrators into it. The
filename should match the value you have set for "acl_file" in your
<CODE>kdc.conf</CODE> file. The default file name is <SAMP>`kadm5.acl'</SAMP>. The
format of the file is:
<PRE>
Kerberos principal permissions optional target principal
</PRE>
<P>
The Kerberos principal (and optional target principal) can include the
"<B>*</B>" wildcard, so if you want any principal with the instance
"admin" to have full permissions on the database, you could use the
principal "<CODE>*/admin@REALM</CODE>" where "REALM" is your Kerberos
realm.
<P>
Note: a common use of an <I>admin</I> instance is so you can grant
separate permissions (such as administrator access to the Kerberos
database) to a separate Kerberos principal. For example, the user
<CODE>joeadmin</CODE> might have a principal for his administrative
use, called <CODE>joeadmin/admin</CODE>. This way,
<CODE>joeadmin</CODE> would obtain <CODE>joeadmin/admin</CODE>
tickets only when he actually needs to use those permissions. Refer to
the Kerberos V5 Administrator's Guide or the Kerberos V5 User's
Guide for more detailed explanations of <EM>principals</EM> and
<EM>instances</EM>.
<P>
The permissions (acls) recognized in the acl file
are the following:
<DL COMPACT>
<DT><B>a</B>
<DD>
allows the addition of principals or policies in the database.
<DT><B>A</B>
<DD>
prohibits the addition of principals or policies in the database.
<DT><B>d</B>
<DD>
allows the deletion of principals or policies in the database.
<DT><B>D</B>
<DD>
prohibits the deletion of principals or policies in the database.
<DT><B>m</B>
<DD>
allows the modification of principals or policies in the database.
<DT><B>M</B>
<DD>
prohibits the modification of principals or policies in the database.
<DT><B>c</B>
<DD>
allows the changing of passwords for principals in the database.
<DT><B>C</B>
<DD>
prohibits the changing of passwords for principals in the database.
<DT><B>i</B>
<DD>
allows inquiries to the database.
<DT><B>I</B>
<DD>
prohibits inquiries to the database.
<DT><B>l</B>
<DD>
allows the listing of principals or policies in the database.
<DT><B>L</B>
<DD>
prohibits the listing of principals or policies in the database.
<DT><B>*</B>
<DD>
Short for all privileges (admcil).
<DT><B>x</B>
<DD>
Short for all privileges (admcil); identical to "*".
</DL>
<P>
To give the principal <CODE>*/admin@ATHENA.MIT.EDU</CODE> permission to
change all of the database permissions on any principal permissions, you
would place the following line in the file:
<PRE>
*/admin@ATHENA.MIT.EDU *
</PRE>
<P>
To give the principal <CODE>joeadmin@ATHENA.MIT.EDU</CODE>
permission to add, list, and inquire about any principal that has the
instance "root", you would add the following line to the acl file:
<PRE>
joeadmin@ATHENA.MIT.EDU ali */root@ATHENA.MIT.EDU
</PRE>
<H4><A NAME="SEC44" HREF="install_toc.html#TOC44">Add Administrators to the Kerberos Database</A></H4>
<P>
Next you need to add administrative principals to the Kerberos database.
(You must add at least one now.) To do this, use <CODE>kadmin.local</CODE>
<EM>on the master KDC</EM>. The administrative principals you create
should be the ones you added to the ACL file. (See See section <A HREF="install.html#SEC43">Add Administrators to the Acl File</A>.) In the following example, the
administration principal <CODE>admin/admin</CODE> is created:
<PRE>
<B>shell%</B> /usr/local/sbin/kadmin.local
<B>kadmin.local:</B> addprinc admin/admin@ATHENA.MIT.EDU
<B>WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU";
defaulting to no policy.</B>
<B>Enter password for principal admin/admin@ATHENA.MIT.EDU:</B> <I>@doubleleftarrow{</I> Enter a password.}
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <I>@doubleleftarrow{</I> Type it again.}
<B>Principal "admin/admin@ATHENA.MIT.EDU" created.
kadmin.local:</B>
</PRE>
<H4><A NAME="SEC45" HREF="install_toc.html#TOC45">Create a kadmind Keytab</A></H4>
<P>
The kadmind keytab is the key that kadmind will use to decrypt
administrators' Kerberos tickets to determine whether or not it should
give them access to the database. You need to create the kadmin keytab
with entries for the principals <CODE>kadmin/admin</CODE> and
<CODE>kadmin/changepw</CODE>. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
keytab, run <CODE>kadmin.local</CODE> and use the <CODE>ktadd</CODE> command, as in
the following example. (The line beginning with => is a
continuation of the previous line.):
<PRE>
<B>shell%</B> /usr/local/sbin/kadmin.local
<B>kadmin.local:</B> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
=> kadmin/admin kadmin/changepw
<B>Entry for principal kadmin/admin@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
kadmin.local:</B> quit
<B>shell%</B>
</PRE>
<P>
As specified in the <SAMP>`-k'</SAMP> argument, <CODE>ktadd</CODE> will save the
extracted keytab as <BR> <CODE>/usr/local/var/krb5kdc/kadm5.keytab</CODE>.
The filename you use must be the one specified in your <CODE>kdc.conf</CODE>
file.
<H4><A NAME="SEC46" HREF="install_toc.html#TOC46">Start the Kerberos Daemons on the Master KDC</A></H4>
<P>
At this point, you are ready to start the Kerberos daemons on the Master
KDC. To do so, type:
<PRE>
<B>shell%</B> /usr/local/sbin/krb5kdc
<B>shell%</B> /usr/local/sbin/kadmind
</PRE>
<P>
Each daemon will fork and run in the background. Assuming you want
these daemons to start up automatically at boot time, you can add them
to the KDC's <CODE>/etc/rc</CODE> or <CODE>/etc/inittab</CODE> file. You need to
have a stash file in order to do this.
<P>
You can verify that they started properly by checking for their startup
messages in the logging locations you defined in <CODE>/etc/krb5.conf</CODE>.
(See See section <A HREF="install.html#SEC41">Edit the Configuration Files</A>.) For example:
<PRE>
<B>shell%</B> tail /var/log/krb5kdc.log
Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
<B>shell%</B> tail /var/log/kadmin.log
Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
</PRE>
<P>
Any errors the daemons encounter while starting will also be listed in
the logging output.
<H3><A NAME="SEC47" HREF="install_toc.html#TOC47">Install the Slave KDCs</A></H3>
<P>
You are now ready to start configuring the slave KDCs. Assuming you are
setting the KDCs up so that you can easily switch the master KDC with
one of the slaves, you should perform each of these steps on the master
KDC as well as the slave KDCs, unless these instructions specify
otherwise.
<H4><A NAME="SEC48" HREF="install_toc.html#TOC48">Create Host Keys for the Slave KDCs</A></H4>
<P>
Each KDC needs a host principal in the Kerberos database. You can enter
these from any host, once the <CODE>kadmind</CODE> daemon is running. For
example, if your master KDC were called
kerberos.mit.edu, and you had two KDC slaves
named kerberos-1.mit.edu and
kerberos-2.mit.edu, you would type the following:
<PRE>
<B>shell%</B> /usr/local/sbin/kadmin
<B>kadmin:</B> addprinc -randkey host/kerberos.mit.edu
<B>WARNING: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";
defaulting to no policy.
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
kadmin:</B> addprinc -randkey host/kerberos-1.mit.edu
<B>WARNING: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";
defaulting to no policy.
Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</B>
<B>kadmin:</B> addprinc -randkey host/kerberos-2.mit.edu
<B>WARNING: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";
defaulting to no policy.
Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.
kadmin:</B>
</PRE>
<P>
It is not actually necessary to have the master KDC server in the
Kerberos database, but it can be handy if:
<UL>
<LI>
anyone will be logging into the machine as something other than root
<LI>
you want to be able to swap the master KDC with one of the slaves if
necessary.
</UL>
<H4><A NAME="SEC49" HREF="install_toc.html#TOC49">Extract Host Keytabs for the KDCs</A></H4>
<P>
Each KDC (including the master) needs a keytab to decrypt tickets.
Ideally, you should extract each keytab locally on its own KDC. If this
is not feasible, you should use an encrypted session to send them across
the network. To extract a keytab on a KDC called
kerberos.mit.edu, you would execute the following
command:
<PRE>
<B>kadmin:</B> ktadd host/kerberos.mit.edu
<B>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with
kvno 1, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin:</B>
</PRE>
<P>
Note that the principal must exist in the Kerberos database in order to
extract the keytab.
<H4><A NAME="SEC50" HREF="install_toc.html#TOC50">Set Up the Slave KDCs for Database Propagation</A></H4>
<P>
The database is propagated from the master KDC to the slave KDCs via the
<CODE>kpropd</CODE> daemon. To set up propagation, create a file on each KDC,
named <CODE>/usr/local/var/krb5kdc/kpropd.acl</CODE>, containing the
principals for each of the KDCs.
For example, if the master KDC were
<CODE>kerberos.mit.edu</CODE>, the slave KDCs were
<CODE>kerberos-1.mit.edu</CODE> and
<CODE>kerberos-2.mit.edu</CODE>, and the realm were
<CODE>ATHENA.MIT.EDU</CODE>, then the file's contents would be:
<PRE>
host/kerberos.mit.edu@ATHENA.MIT.EDU
host/kerberos-1.mit.edu@ATHENA.MIT.EDU
host/kerberos-2.mit.edu@ATHENA.MIT.EDU
</PRE>
<P>
Then, add the following lines to <CODE>/etc/inetd.conf</CODE> file on each KDC
(the line beginnng with => is a continuation of the previous
line):
<PRE>
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c -e
</PRE>
<P>
The first line sets up the <CODE>kpropd</CODE> database propagation daemon.
The second line sets up the <CODE>eklogin</CODE> daemon, allowing
Kerberos-authenticated, encrypted rlogin to the KDC.
<P>
You also need to add the following lines to <CODE>/etc/services</CODE> on each
KDC:
<PRE>
kerberos 88/udp kdc # Kerberos authentication (udp)
kerberos 88/tcp kdc # Kerberos authentication (tcp)
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
eklogin 2105/tcp # Kerberos encrypted rlogin
</PRE>
<H3><A NAME="SEC51" HREF="install_toc.html#TOC51">Back on the Master KDC</A></H3>
<P>
Now that the slave KDCs are able to accept database propagation, you'll
need to propagate the database to each of them.
<H4><A NAME="SEC52" HREF="install_toc.html#TOC52">Propagate the Database to Each Slave KDC</A></H4>
<P>
First, create a dump of the database on the master KDC, as follows:
<PRE>
<B>shell%</B> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
<B>shell%</B>
</PRE>
<P>
Next, you need to manually propagate the database to each slave KDC, as
in the following example. (The lines beginning with => are
continuations of the previous line.):
<PRE>
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
=> kerberos-1.mit.edu
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
=> kerberos-2.mit.edu
</PRE>
<P>
You will need a script to dump and propagate the database. The
following is an example of a bourne shell script that will do this.
(Note that the line that begins with => is a continuation of the
previous line. Remember that you need to replace /usr/local with
the name of the directory in which you installed Kerberos V5.)
<PRE>
#!/bin/sh
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
/usr/local/sbin/kdb5_util -R "dump
=> /usr/local/var/krb5kdc/slave_datatrans"
for kdc in $kdclist
do
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
done
</PRE>
<P>
You will need to set up a cron job to run this script at the intervals
you decided on earlier (See section <A HREF="install.html#SEC13">Database Propagation</A>.)
<H3><A NAME="SEC53" HREF="install_toc.html#TOC53">Finish Installing the Slave KDCs</A></H3>
<P>
Now that the slave KDCs have copies of the Kerberos database, you can
create stash files for them and start the <CODE>krb5kdc</CODE> daemon.
<H4><A NAME="SEC54" HREF="install_toc.html#TOC54">Create Stash Files on the Slave KDCs</A></H4>
<P>
Create stash files, by issuing the following commands on each slave KDC:
<PRE>
<B>shell%</B> kdb5_util stash
<B>kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key</B>
<B>Enter KDC database master key:</B> <I>@doubleleftarrow{</I> Enter the database master key.}
<B>shell%</B>
</PRE>
<P>
As mentioned above, the stash file is necessary for your KDCs to be able
authenticate to themselves, such as when they reboot. You could run
your KDCs without stash files, but you would then need to type in the
Kerberos database master key by hand every time you start a KDC daemon.
<H4><A NAME="SEC55" HREF="install_toc.html#TOC55">Start the krb5kdc Daemon on Each KDC</A></H4>
<P>
The final step in configuing your slave KDCs is to run the KDC daemon:
<PRE>
<B>shell%</B> /usr/local/sbin/krb5kdc
</PRE>
<P>
As with the master KDC, you will probably want to add this command to
the KDCs' <CODE>/etc/rc</CODE> or <CODE>/etc/inittab</CODE> files, so they will
start the krb5kdc daemon automatically at boot time.
<H3><A NAME="SEC56" HREF="install_toc.html#TOC56">Add Kerberos Principals to the Database</A></H3>
<P>
Once your KDCs are set up and running, you are ready to use
<CODE>kadmin</CODE> to load principals for your users, hosts, and other
services into the Kerberos database. This procedure is described fully in the
"Adding or Modifying Principals" section of the Kerberos V5 System
Administrator's Guide. (See section <A HREF="install.html#SEC48">Create Host Keys for the Slave KDCs</A>, for a
brief description.) The keytab is generated by running <CODE>kadmin</CODE>
and issuing the <CODE>ktadd</CODE> command.
<H3><A NAME="SEC57" HREF="install_toc.html#TOC57">Limit Access to the KDCs</A></H3>
<P>
To limit the possibility that your Kerberos database could be
compromised, MIT recommends that each KDC be a dedicated
host, with limited access. If your KDC is also a file server, FTP
server, Web server, or even just a client machine, someone who obtained
root access through a security hole in any of those areas could gain
access to the Kerberos database.
<P>
MIT recommends that your KDCs use the following
<CODE>/etc/inetd.conf</CODE> file. (Note: each line beginning with =>
is a continuation of the previous line.):
<PRE>
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user>
=> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
# This machine is a secure Kerberos Key Distribution Center (KDC).
# Services are limited.
#
#
# Time service is used for clock synchronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal
#
# Limited Kerberos services
#
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -5 -c -e
</PRE>
<H3><A NAME="SEC58" HREF="install_toc.html#TOC58">Switching Master and Slave KDCs</A></H3>
<P>
You may occasionally want to use one of your slave KDCs as the master.
This might happen if you are upgrading the master KDC, or if your master
KDC has a disk crash.
<P>
Assuming you have configured all of your KDCs to be able to function as
either the master KDC or a slave KDC (as this document recommends), all
you need to do to make the changeover is:
<P>
If the master KDC is still running, do the following on the <EM>old</EM>
master KDC:
<OL>
<LI>
Kill the <CODE>kadmind</CODE> process.
<LI>
Disable the cron job that propagates the database.
<LI>
Run your database propagation script manually, to ensure that the slaves
all have the latest copy of the database. (See section <A HREF="install.html#SEC52">Propagate the Database to Each Slave KDC</A>.) As of the 1.2.2 release, it is no longer necessary
to use "kdb5_util dump -ov" in order to preserve per-principal policy
information, as the default dump format now supports it. Note you
should update your slaves prior to your master, so that they will
understand the new dump format. (This is a good policy anyway.)
</OL>
<P>
On the <EM>new</EM> master KDC:
<OL>
<LI>
Create a database keytab. (See section <A HREF="install.html#SEC45">Create a kadmind Keytab</A>.)
<LI>
Start the <CODE>kadmind</CODE> daemon. (See section <A HREF="install.html#SEC46">Start the Kerberos Daemons on the Master KDC</A>.)
<LI>
Set up the cron job to propagate the database. (See section <A HREF="install.html#SEC52">Propagate the Database to Each Slave KDC</A>.)
<LI>
Switch the CNAMEs of the old and new master KDCs. (If you don't do
this, you'll need to change the <CODE>krb5.conf</CODE> file on every client
machine in your Kerberos realm.)
</OL>
<H2><A NAME="SEC59" HREF="install_toc.html#TOC59">Installing and Configuring UNIX Client Machines</A></H2>
<P>
Client machine installation is much more straightforward than
installation of the KDCs.
<H3><A NAME="SEC60" HREF="install_toc.html#TOC60">Client Programs</A></H3>
<P>
The Kerberized client programs are <CODE>login.krb5</CODE>, <CODE>rlogin</CODE>,
<CODE>telnet</CODE>, <CODE>ftp</CODE>, <CODE>rcp</CODE>, <CODE>rsh</CODE>, <CODE>kinit</CODE>,
<CODE>klist</CODE>, <CODE>kdestroy</CODE>, <CODE>kpasswd</CODE>, <CODE>ksu</CODE>, and
<CODE>krb524init</CODE>. All of these programs are in the directory
<CODE>/usr/local/bin</CODE>, except for <CODE>login.krb5</CODE> which is in
<CODE>/usr/local/sbin</CODE>.
<P>
You will probably want to have your users put <CODE>/usr/local/bin</CODE>
ahead of <CODE>/bin</CODE> and <CODE>/usr/bin</CODE> in their paths, so they will by
default get the Kerberos V5 versions of <CODE>rlogin</CODE>,
<CODE>telnet</CODE>, <CODE>ftp</CODE>, <CODE>rcp</CODE>, and <CODE>rsh</CODE>.
<P>
MIT recommends that you use <CODE>login.krb5</CODE> in place of
<CODE>/bin/login</CODE> to give your users a single-sign-on system. You will
need to make sure your users know to use their Kerberos passwords when
they log in.
<P>
You will also need to educate your users to use the ticket management
programs <CODE>kinit</CODE>,
<CODE>klist</CODE>, <CODE>kdestroy</CODE>, and to use the Kerberos programs
<CODE>ksu</CODE>, and <CODE>kpasswd</CODE> in place of their non-Kerberos
counterparts
<CODE>su</CODE>, <CODE>passwd</CODE>, and <CODE>rdist</CODE>.
<H3><A NAME="SEC61" HREF="install_toc.html#TOC61">Client Machine Configuration Files</A></H3>
<P>
Each machine running Kerberos must have a <CODE>/etc/krb5.conf</CODE> file.
(See section <A HREF="install.html#SEC72">krb5.conf</A>)
<P>
Also, for most UNIX systems, you must add the appropriate Kerberos
services to each client machine's <CODE>/etc/services</CODE> file. If you are
using the default configuration for Kerberos V5, you should be able
to just insert the following code:
<PRE>
#
# Note --- if you are using Kerberos V4 and you either:
#
# (a) haven't converted all your master or slave KDCs to V5, or
#
# (b) are worried about inter-realm interoperability with other KDC's
# that are still using V4
#
# you will need to switch the "kerberos" service to port 750 and create a
# "kerberos-sec" service on port 88.
#
kerberos 88/udp kdc # Kerberos V5 KDC
kerberos 88/tcp kdc # Kerberos V5 KDC
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # and remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
krb524 4444/tcp # Kerberos 5 to 4 ticket translator
</PRE>
<P>
As described in the comments in the above code, if your master
KDC or any of your slave KDCs is running Kerberos V4, (or if you will be
authenticating to any Kerberos V4 KDCs in another realm) you will need
to switch the port number for <CODE>kerberos</CODE> to 750 and create a
<CODE>kerberos-sec</CODE> service (tcp and udp) on port 88, so the Kerberos
V4 KDC(s) will continue to work properly.
<H4><A NAME="SEC62" HREF="install_toc.html#TOC62">Mac OS X Configuration</A></H4>
<P>
To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
directions for generic Unix-based OS's, except for the
<CODE>/etc/services</CODE> updates described above.
<P>
Mac OS X and Mac OS X Server use a database called NetInfo to store
the contents of files normally found in <CODE>/etc</CODE>. Instead of
modifying <CODE>/etc/services</CODE>, you should run the following commands
to add the Kerberos service entries to NetInfo:
<PRE>
$ niutil -create . /services/kerberos
$ niutil -createprop . /services/kerberos name kerberos kdc
$ niutil -createprop . /services/kerberos port 750
$ niutil -createprop . /services/kerberos protocol tcp udp
$ niutil -create . /services/krbupdate
$ niutil -createprop . /services/krbupdate name krbupdate kreg
$ niutil -createprop . /services/krbupdate port 760
$ niutil -createprop . /services/krbupdate protocol tcp
$ niutil -create . /services/kpasswd
$ niutil -createprop . /services/kpasswd name kpasswd kpwd
$ niutil -createprop . /services/kpasswd port 761
$ niutil -createprop . /services/kpasswd protocol tcp
$ niutil -create . /services/klogin
$ niutil -createprop . /services/klogin port 543
$ niutil -createprop . /services/klogin protocol tcp
$ niutil -create . /services/eklogin
$ niutil -createprop . /services/eklogin port 2105
$ niutil -createprop . /services/eklogin protocol tcp
$ niutil -create . /services/kshell
$ niutil -createprop . /services/kshell name kshell krcmd
$ niutil -createprop . /services/kshell port 544
$ niutil -createprop . /services/kshell protocol tcp
</PRE>
<P>
In addition to adding services to NetInfo, you must also modify the
resolver configuration in NetInfo so that the machine resolves its own
hostname as a FQDN (fully qualified domain name). By default, Mac OS X
and Mac OS X Server machines query NetInfo to resolve hostnames before
falling back to DNS. Because NetInfo has an unqualified name for all
the machines in the NetInfo database, the machine's own hostname will
resolve to an unqualified name. Kerberos needs a FQDN to look up keys
in the machine's keytab file.
<P>
Fortunately, you can change the <CODE>lookupd</CODE> caching order to query
DNS first. Run the following NetInfo commands and reboot the machine:
<PRE>
$ niutil -create . /locations/lookupd/hosts
$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
NIAgent NILAgent
</PRE>
<P>
Once you have rebooted, you can verify that the resolver now behaves
correctly. Compile the Kerberos 5 distribution and run:
<PRE>
$ cd .../src/tests/resolve
$ ./resolve
</PRE>
<P>
This will tell you whether or not your machine returns FQDNs on name
lookups. If the test still fails, you can also try turning off DNS
caching. Run the following commands and reboot:
<PRE>
$ niutil -create . /locations/lookupd/hosts
$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
CacheAgent NIAgent NILAgent
</PRE>
<P>
The remainder of the setup of a Mac OS X client machine or application
server should be the same as for other UNIX-based systems.
<H2><A NAME="SEC63" HREF="install_toc.html#TOC63">UNIX Application Servers</A></H2>
<P>
An application server is a host that provides one or more services over
the network. Application servers can be "secure" or "insecure." A
"secure" host is set up to require authentication from every client
connecting to it. An "insecure" host will still provide Kerberos
authentication, but will also allow unauthenticated clients to connect.
<P>
If you have Kerberos V5 installed on all of your client machines,
MIT recommends that you make your hosts secure, to take
advantage of the security that Kerberos authentication affords.
However, if you have some clients that do not have Kerberos V5
installed, you can run an insecure server, and still take advantage of
Kerberos V5's single sign-on on capability.
<H3><A NAME="SEC64" HREF="install_toc.html#TOC64">Server Programs</A></H3>
<P>
Just as Kerberos V5 provided its own Kerberos-enhanced versions of
client UNIX network programs, Kerberos V5 also provides
Kerberos-enhanced versions of server UNIX network daemons. These are
<CODE>ftpd</CODE>, <CODE>klogind</CODE>, <CODE>kshd</CODE>, and <CODE>telnetd</CODE>.
These programs are installed in the directory
<CODE>/usr/local/sbin</CODE>. You may want to add this directory to
root's path.
<H3><A NAME="SEC65" HREF="install_toc.html#TOC65">Server Configuration Files</A></H3>
<P>
For a <EM>secure</EM> server, make the following changes to
<CODE>/etc/inetd.conf</CODE>:
<P>
Find and comment out any lines for the services <CODE>ftp</CODE>,
<CODE>telnet</CODE>, <CODE>shell</CODE>, <CODE>login</CODE>, and <CODE>exec</CODE>.
<P>
Add the following lines. (Note: each line beginning with => is
a continuation of the previous line.)
<PRE>
klogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c
eklogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c -e
kshell stream tcp nowait root /usr/local/sbin/kshd
=> kshd -k -c -A
ftp stream tcp nowait root /usr/local/sbin/ftpd
=> ftpd -a
telnet stream tcp nowait root /usr/local/sbin/telnetd
=> telnetd -a valid
</PRE>
<P>
For an <EM>insecure</EM> server, make the following changes instead to
<CODE>/etc/inetd.conf</CODE>:
<P>
Find and comment out any lines for the services <CODE>ftp</CODE> and
<CODE>telnet</CODE>.
<P>
Add the following lines. (Note: each line beginning with => is
a continuation of the previous line.)
<PRE>
klogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c
eklogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c -e
kshell stream tcp nowait root /usr/local/sbin/kshd
=> kshd -k -c -A
ftp stream tcp nowait root /usr/local/sbin/ftpd
=> ftpd
telnet stream tcp nowait root /usr/local/sbin/telnetd
=> telnetd -a none
</PRE>
<H3><A NAME="SEC66" HREF="install_toc.html#TOC66">The Keytab File</A></H3>
<P>
All Kerberos server machines need a <EM>keytab</EM> file, called
<CODE>/etc/krb5.keytab</CODE>, to authenticate to the KDC. The keytab file is
an encrypted, local, on-disk copy of the host's key. The keytab file,
like the stash file (section <A HREF="install.html#SEC42">Create the Database</A>) is a potential
point-of-entry for a break-in, and if compromised, would allow
unrestricted access to its host. The keytab file should be readable
only by root, and should exist only on the machine's local disk. The
file should not be part of any backup of the machine, unless access to
the backup data is secured as tightly as access to the machine's root
password itself.
<P>
In order to generate a keytab for a host, the host must have a principal
in the Kerberos database. The procedure for adding hosts to the
database is described fully in the "Adding or Modifying Principals"
section of the <CITE>Kerberos V5 System Administrator's Guide</CITE>.
See section <A HREF="install.html#SEC48">Create Host Keys for the Slave KDCs</A> for a brief description.)
The keytab is generated by running <CODE>kadmin</CODE> and issuing the
<CODE>ktadd</CODE> command.
<P>
For example, to generate a keytab file to allow the host
trillium.mit.edu to authenticate for the services
<CODE>host</CODE>, <CODE>ftp</CODE>, and <CODE>pop</CODE>, the administrator
<CODE>joeadmin</CODE> would issue the command (on
trillium.mit.edu):
<PRE>
<B>trillium%</B> /usr/local/sbin/kadmin
<B>kadmin5:</B> ktadd host/trillium.mit.edu ftp/trillium.mit.edu
=> pop/trillium.mit.edu
<B>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin5:</B> quit
<B>trillium%</B>
</PRE>
<P>
If you generate the keytab file on another host, you need to get a copy
of the keytab file onto the destination host (<CODE>trillium</CODE>, in the
above example) without sending it unencrypted over the network. If you
have installed the Kerberos V5 client programs, you can use
encrypted <CODE>rcp</CODE>.
<H3><A NAME="SEC67" HREF="install_toc.html#TOC67">Some Advice about Secure Hosts</A></H3>
<P>
Kerberos V5 can protect your host from certain types of break-ins,
but it is possible to install Kerberos V5 and still leave your host
vulnerable to attack. Obviously an installation guide is not the place
to try to include an exhaustive list of countermeasures for every
possible attack, but it is worth noting some of the larger holes and how
to close them.
<P>
As stated earlier in this section, MIT recommends that on a
secure host, you disable the standard <CODE>ftp</CODE>, <CODE>login</CODE>,
<CODE>telnet</CODE>, <CODE>shell</CODE>, and <CODE>exec</CODE> services in
<CODE>/etc/inetd.conf</CODE>. We also recommend that secure hosts have an empty
<CODE>/etc/hosts.equiv</CODE> file and that there not be a <CODE>.rhosts</CODE> file
in <CODE>root</CODE>'s home directory. You can grant Kerberos-authenticated
root access to specific Kerberos principals by placing those principals
in the file <CODE>.k5login</CODE> in root's home directory.
<P>
We recommend that backups of secure machines exclude the keytab file
(<CODE>/etc/krb5.keytab</CODE>). If this is not possible, the backups should
at least be done locally, rather than over a network, and the backup
tapes should be physically secured.
<P>
Finally, the keytab file and any programs run by root, including the
Kerberos V5 binaries, should be kept on local disk. The keytab file
should be readable only by root.
<H1><A NAME="SEC68" HREF="install_toc.html#TOC68">Upgrading Existing Kerberos V5 Installations</A></H1>
<P>
If you already have an existing Kerberos database that you created with
a prior release of Kerberos 5, you can upgrade it to work with the
current release with the <CODE>kdb5_util</CODE> command. It is only necessary
to perform this dump/undump procedure if you were running a krb5-1.0.x
KDC and are migrating to a krb5-1.1.x or newer KDC. The process for
upgrading a Master KDC involves the following steps:
<OL>
<LI>Stop your current KDC and administration
server processes, if any.
<LI>Dump your existing Kerberos database to an ASCII file with
<CODE>kdb5_util</CODE>'s "dump" command:
<PRE>
<B>shell%</B> cd /usr/local/var/krb5kdc
<B>shell%</B> kdb5_util dump old-kdb-dump
<B>shell%</B> kdb5_util dump -ov old-kdb-dump.ov
<B>shell%</B>
</PRE>
<LI>Create a new Master KDC installation (See section <A HREF="install.html#SEC40">Install the Master KDC</A>). If you have a stash file for your current database, choose any
new master password but then copy your existing stash file to the
location specified by your kdc.conf; if you do not have a stash file for
your current database, you must choose the same master password.
<LI>Load your old Kerberos database into the new system with
<CODE>kdb5_util</CODE>'s "load" command:
<PRE>
<B>shell%</B> cd /usr/local/var/krb5kdc
<B>shell%</B> kdb5_util load old-kdb-dump
<B>shell%</B> kdb5_util load -update old-kdb-dump.ov
<B>shell%</B>
</PRE>
</OL>
<P>
The "dump -ov" and "load -update" commands are necessary in order to
preserve per-principal policy information, since the dump format in
releases prior to 1.2.2 filters out that information. If you omit those
steps, the loaded database database will lose the policy information for
each principal that has a policy.
<P>
To update a Slave KDC, you must stop the old server processes on the
Slave KDC, install the new server binaries, reload the most recent slave
dump file, and re-start the server processes.
<H2><A NAME="SEC69" HREF="install_toc.html#TOC69">Upgrading to Triple-DES Encryption Keys</A></H2>
<P>
Beginning with the 1.2 release from MIT, Kerberos includes a stronger
encryption algorithm called "triple DES" -- essentially, three
applications of the basic DES encryption algorithm, greatly increasing
the resistance to a brute-force search for the key by an attacker. This
algorithm is more secure, but encryption is much slower. We expect to
add other, faster encryption algorithms at some point in the future.
<P>
Release 1.1 had some support for triple-DES service keys, but with
release 1.2 we have added support for user keys and session keys as
well. Release 1.0 had very little support for multiple cryptosystems,
and some of that software may not function properly in an environment
using triple-DES as well as plain DES.
<P>
Because of the way the MIT Kerberos database is structured, the KDC will
assume that a service supports only those encryption types for which
keys are found in the database. Thus, if a service has only a
single-DES key in the database, the KDC will not issue tickets for that
service that use triple-DES session keys; it will instead issue only
single-DES session keys, even if other services are already capable of
using triple-DES. So if you make sure your application server software
is updated before adding a triple-DES key for the service, clients
should be able to talk to services at all times during the updating
process.
<P>
Normally, the listed <CODE>supported_enctypes</CODE> in <CODE>kdc.conf</CODE> are
all used when a new key is generated. You can control this with
command-line flags to <CODE>kadmin</CODE> and <CODE>kadmin.local</CODE>. You may
want to exclude triple-DES by default until you have updated a lot of
your application servers, and then change the default to include
triple-DES. We recommend that you always include <CODE>des-cbc-crc</CODE> in
the default list.
<H1><A NAME="SEC70" HREF="install_toc.html#TOC70">Bug Reports for Kerberos V5</A></H1>
<P>
In any complex software, there will be bugs. If you have successfully
built and installed Kerberos V5, please use the
<CODE>krb5-send-pr</CODE> program to fill out a Problem Report.
<P>
Bug reports that include proposed fixes are especially welcome. If you
do include fixes, please send them using either context diffs or unified
diffs (using <SAMP>`diff -c'</SAMP> or <SAMP>`diff -u'</SAMP>, respectively). Please be
careful when using "cut and paste" or other such means to copy a patch
into a bug report; depending on the system being used, that can result
in converting TAB characters into spaces, which makes applying the
patches more difficult.
<P>
The <CODE>krb5-send-pr</CODE> program is installed in the directory
<CODE>/usr/local/sbin</CODE>.
<P>
The <CODE>krb5-send-pr</CODE> program enters the problem report into our
Problem Report Management System (PRMS), which automatically assigns it
to the engineer best able to help you with problems in the assigned
category.
<P>
The <CODE>krb5-send-pr</CODE> program will try to intelligently fill in as
many fields as it can. You need to choose the <EM>category</EM>,
<EM>class</EM>, <EM>severity</EM>, and <EM>priority</EM> of the problem, as well
as giving us as much information as you can about its exact nature.
<P>
The PR <B>category</B> will be one of:
<PRE>
krb5-admin krb5-appl krb5-build krb5-clients
krb5-doc krb5-kdc krb5-libs krb5-misc
pty telnet test
</PRE>
<P>
Choose the category that best describes the area under which your
problem falls.
<P>
The <B>class</B> can be <EM>sw-bug</EM>, <EM>doc-bug</EM>, <EM>change-request</EM>,
or <EM>support</EM>. The first two are exactly as their names imply. Use
<I>change-request</I> when the software is behaving according to
specifications, but you want to request changes in some feature or
behavior. The <I>support</I> class is intended for more general questions
about building or using Kerberos V5.
<P>
The <B>severity</B> of the problem indicates the problem's impact on the
usability of Kerberos V5. If a problem is <EM>critical</EM>, that
means the product, component or concept is completely non-operational,
or some essential functionality is missing, and no workaround is known.
A <EM>serious</EM> problem is one in which the product, component or
concept is not working properly or significant functionality is missing.
Problems that would otherwise be considered <I>critical</I> are rated
<I>serious</I> when a workaround is known. A <EM>non-critical</EM> problem is
one that is indeed a problem, but one that is having a minimal effect on
your ability to use Kerberos V5. <I>E.g.</I>, The product, component
or concept is working in general, but lacks features, has irritating
behavior, does something wrong, or doesn't match its documentation. The
default severity is <I>serious</I>.
<P>
The <B>priority</B> indicates how urgent this particular problem is in
relation to your work. Note that low priority does not imply low
importance.
A priority of <EM>high</EM> means a solution is needed as soon as possible.
A priority of <EM>medium</EM> means the problem should be solved no later
than the next release. A priority of <EM>low</EM> means the problem should
be solved in a future release, but it is not important to your work how
soon this happens. The default priority is <I>medium</I>.
<P>
Note that a given severity does not necessarily imply a given priority.
For example, a non-critical problem might still have a high priority if
you are faced with a hard deadline. Conversely, a serious problem might
have a low priority if the feature it is disabling is one that you do
not need.
<P>
It is important that you fill in the <I>release</I> field and tell us
what changes you have made, if any.
<P>
Bug reports that include proposed fixes are especially welcome. If you
include proposed fixes, please send them using either context diffs
(<SAMP>`diff -c'</SAMP>) or unified diffs (<SAMP>`diff -u'</SAMP>).
<P>
@vfill
<P>
A sample filled-out form from a company named "Toasters, Inc." might
look like this:
<PRE>
To: krb5-bugs@mit.edu
Subject: misspelled "Kerberos" in title of installation guide
From: jcb
Reply-To: jcb
Cc:
X-send-pr-version: 3.99
>Submitter-Id: mit
>Originator: Jeffrey C. Gilman Bigler
>Organization:
mit
>Confidential: no
>Synopsis: Misspelled "Kerberos" in title of installation guide
>Severity: non-critical
>Priority: low
>Category: krb5-doc
>Class: doc-bug
>Release: 1.0-development
>Environment:
<machine, os, target, libraries (multiple lines)>
System: ULTRIX imbrium 4.2 0 RISC
Machine: mips
>Description:
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
>How-To-Repeat:
N/A
>Fix:
Correct the spelling.
</PRE>
<P>
@vfill
<P>
If the <CODE>krb5-send-pr</CODE> program does not work for you, or if you did
not get far enough in the process to have an installed and working
<CODE>krb5-send-pr</CODE>, you can generate your own form, using the above as
an example.
<H1><A NAME="SEC71" HREF="install_toc.html#TOC71">Files</A></H1>
<H2><A NAME="SEC72" HREF="install_toc.html#TOC72">krb5.conf</A></H2>
<P>
Here is an example <CODE>krb5.conf</CODE> file:
<PRE>
[libdefaults]
ticket_lifetime = 600
default_realm = ATHENA.MIT.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu:749
default_domain = mit.edu
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
</PRE>
<P>
For the KDCs, add a section onto the end of the <CODE>krb5.conf</CODE> file
telling how logging information should be stored, as in the following
example:
<PRE>
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
</PRE>
<P>
@vfill
<H2><A NAME="SEC73" HREF="install_toc.html#TOC73">kdc.conf</A></H2>
<P>
Here's an example of a kdc.conf file:
<PRE>
[kdcdefaults]
kdc_ports = 88,750
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
dict_file = /usr/local/var/krb5kdc/kadm5.dict
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
</PRE>
<P>
To add Kerberos V4 support, add <CODE>des-cbc-crc:v4</CODE> to the
<CODE>supported_enctypes</CODE> line.
<H3><A NAME="SEC74" HREF="install_toc.html#TOC74">Encryption Types and Salt Types</A></H3>
<P>
Currently, Kerberos V5 supports only DES and triple-DES encryption.
The encoding types include
<CODE>des-cbc-crc</CODE> and <CODE>des3-cbc-sha1</CODE>. The <EM>salt</EM> is
additional information encoded within the key that tells what kind of
key it is. The only salts that you will be likely to encounter are:
<UL>
<LI><EM>normal</EM>, which MIT recommends using for all of
your Kerberos V5 keys
<LI><EM>v4</EM>, which is necessary only for compatibility with a v4 KDC
or a v4 version of <CODE>kinit</CODE>, and then only with <CODE>des-cbc-crc</CODE>
encryption
<LI><EM>afs</EM>, which you will never need to generate, and which you will
encounter only if you dump an AFS database into a Kerberos database
</UL>
<P>
Support for additional encryption types is planned in the future.
<P><HR><P>
This document was generated on 28 February 2001 using
<A HREF="http://wwwinfo.cern.ch/dis/texi2html/">texi2html</A> 1.56k.
</BODY>
</HTML>
