Kerberos support on AIX is provided by IBM Network Authentication Service (IBM NAS) for AIX, available with its expansion pack CD or available from the IBM AIX Web Download Pack Programs (see Resources). IBM NAS for AIX is used for developing secure Kerberized applications and solutions as well as systems. Many AIX components and utilities such as NFS V4, telnet, ssh, rlogin , integrated login, and more are made more secure when using IBM NAS, and hence it is one of the essential security-based component of the operating system.
IBM NAS for AIX recently released an update, Version 1.4.0.8, which incorporates features that benefit administrators and practitioners. This article describes each of the major features and enhancements associated with the new release to help you better understand, appreciate, and plan for the upgrade of the AIX systems secured by Kerberos using IBM NAS.
Support for the TCP-IP protocol for KDC on AIX
For reliable network services, many administrators prefer deployment of the TCP-IP protocol in their infrastructure. From IBM NAS 1.4.0.8 onwards, the KDC (Key Distribution Center) available on AIX has been extended in order to meet the TCP protocol support requirements. Administrators can now have their clients' machines (on Windows®, Linux®, AIX, and more) initiate their authentication requests and exchange Kerberos tokens with the AIX KDC using the TCP protocol. Since AIX KDC is now able to support both the communication protocols, the upgrade to IBM NAS 1.4.0.8 or later enhances the availability of the service and therefore is one good reason to ride up the grade.
To enable IBM NAS Version 1.4.0.8 (or later) KDC on AIX over TCP, the administrator needs to execute the following two simple tasks:
- Edit the kdc.conf file present on the AIX system running the IBM NAS server and
add the following under the [kdcdefaults] section (assuming that you want to run it
over port 88):
kdc_tcp_ports = 88 - Restart the IBM NAS server:
stop.krb5;start.krb5
It is advisable to execute this change during announced system downtime, unless you have the replica server running to take care of the unavailability of the server being upgraded.
Granular control over the Kerberos authentication ticket lifetime
In real-world scenarios involving Kerberized applications, it's pragmatic to expect administrators to require machine-based granular control over the Kerberos ticket lifetime. For example, a Kerberized AIX NFS V4 administrator may have a requirement that end users can have a very limited lifetime credential when accessing the AIX NFS V4 space using some set of machines, but can have flexible lifetime credentials when accessing AIX NFS V4 space from another set of machines (since the two sets may have been classified as different servers types).
To assist such requirements, IBM NAS 1.4.0.8 has incorporated a new relation, ticket_lifetime, which is a part of the IBM NAS client configuration file, under the [libdefaults] section in /etc/krb5/krb5.conf. This relation takes time as its value and has to be specified in the /etc/krb5/krb5.conf file of the AIX client machine over which the administrator wants to have the ticket lifetime control. It helps administrators restrict the Kerberos ticket lifetime issued to any user from that particular client AIX machine.
# cat /etc/krb5/krb5.conf
...
[libdefaults]
ticket_lifetime = 4h5m
...
|
When this is set on an AIX client machine, it helps to ensure that all the Kerberos tickets
obtained from that machine have lifetime equal to four hours and five minutes. Figure 1
demonstrates a similar scenario where the Kerberos principal,
Sandeep@Relam, when authenticated using Machine A, acquires tickets valid for four hours and five minutes while when
the same user when authenticated using Machine B acquires
tickets valid for 24 hours. This is just one of the many possible manifestations. Thus, provisions for granular control and enhanced manageability of Kerberos credentials over AIX is another reason for riding up the grade.
Figure 1. Demonstration of ticket_lifetime relation available with IBM NAS Version 1.4.0.8 for AIX and later
Post run scripts for credential-based commands
IBM NAS 1.4.0.8 included a new feature that allows administrators to notify the successful execution of IBM NAS credential-based commands like kinit and kdestroy utilities to other dependent Kerberized applications. At first glance, administrators or developers may not appreciate its applicability. But, with this feature, administrators and Kerberos application developers can effectively synchronize the Kerberos credential state governed by the commands with those saved in the Kerberos application buffers. A detailed explanation over this feature and its usage can be found on this AIX developerWorks Blog (refer to February 20, 2009 Blog entry).
Securing LDAP bind password in the IBM NAS-LDAP setup
IBM Network Authentication Service servers for AIX supports the LDAP directory plug-in, which can be used to store the authentication information inside LDAP. This is a preferred method if customers are migrating Kerberos from legacy systems such as IBM DCE (Distributed Computing Environment) to IBM NAS or if they prefer all authentication information to be centrally located in LDAP. Details on the IBM NAS configuration with LDAP can be located in developerWorks article titled "Configure IBM Network Authentication Service master KDC with an LDAP back-end server on AIX" (see Resources). In such setups, the /var/krb5/krb5kdc/.kdc_ldap_data file contains information that is used by the IBM NAS servers on AIX to successfully interact with the LDAP servers. LDAP bind password information is stored in this file. Prior to the IBM NAS 1.4.0.8 release, it was stored in a readable format. Though this file is ACL (Access Control List)-protected by root only access, it may not be enough for highly secure systems. Hence, it is necessary to have the provision for administrators to encrypt the LDAP bind password such that it is secure at the same time it can be interpreted by the NAS server daemons.
Because of these needs, IBM NAS 1.4.0.8 extended support for encrypted LDAP bind passwords, and the ksetup command has been enhanced with the -c flag (where c stands for "cipher"), which allows administrators to encrypt the bind password and place the cipher text in the .kdc_ldap_data configuration file. This helps prevent writing clear-text passwords and at the same time allows the trusted NAS servers to access the password for communication with LDAP for authentication data.
The usage statement for ksetup is:
ksetup -c (string_to_encrypt) |
# ksetup -c "Password of Ldap Bind" |
A detailed explanation of usage of the command with examples is given in the IBM NAS 1.4.0.8 Readme document, which is available with the IBM AIX Web Download Pack Programs (see Resources). So, if your AIX Kerberos infrastructure has an LDAP plug-in and stores the bind password in clear-text format, then it is time to secure it by riding up the grade.
Circular logging for IBM Network Authentication Service daemons
Administrators never want critical partitions of their servers to run out of space, especially if it's in their control. There are numerous log and audit files that keep growing in size and there is a need to manage them so that they don't grow to eat up the critical space on the servers. IBM NAS servers are also associated with their log and audit files (information on IBM NAS log and audit files in the IBM developerWorks article "IBM Network Authentication Service: Server-side logging and auditing" (see Resources). With the release of IBM NAS 1.4.0.8, administrators are now equipped with provisions that allow them to better manage these log files and not only prevent them from out growing but at the same time plan for their necessary backup.
IBM NAS 1.4.0.8 and later introduced a new relation in the /etc/krb5/krb5.conf file, which helps enable circular logging of its server log file in the /var/krb5/log folder by default. The new relations, "max_log_size" and "keep_old_logs", go under the "[logging]" section of the /etc/krb5/krb5.conf file on the IBM NAS AIX server machine. "max_log_size" takes the maximum file size, in MB, that the log can grow, as requested by the administrator, while "keep_old_logs" takes the number of old log/audit files the administrator prefers to maintain before they are purged (giving the administrator the flexibility to back up the old files to a different persistent backup storage).
For example:
# cat /etc/krb5/krb5.conf ... [logging] max_log_size = 10 keep_old_logs = 5 ... |
This example, when set over an IBM NAS AIX server machine, limits the server's log files size to 10MB and maintains a maximum of five old log files, before they are circulated. More details on this feature, such as the associated default values for the relations and so on can be found in the IBM NAS 1.4.0.8 Readme, available with the IBM AIX Web Download Pack Programs (see Resources).
This article discussed the major features released with IBM NAS 1.4.0.8 version for AIX and its possible applicability to existing solutions based on AIX and its Kerberos offering. It highlighted the provisions that will help AIX administrators appreciate the need to not only upgrade but ride up the grade with IBM NAS 1.4.0.8 version or later.
Learn
-
Configuring AIX 5L for Kerberos Based Authentication Using IBM Network Authentication Service: Read this white paper to learn about using Kerberos as an alternative authentication mechanism to AIX.
-
Configure IBM Network Authentication Service master KDC with an LDAP back-end server on AIX: Read this article to learn about IBM Network Authentication Service LDAP plugin support
for AIX.
-
Auditing and serviceability management in IBM Network Authentication Service for AIX (developerWorks, Jan 2009): Discover what is the 'Enhanced password strength' feature in IBM Network Authentication Service for AIX and how to make use of it in your Kerberos environment.
-
A Kerberos Primer (developerWorks, Nov 2001): This article introduces Kerberos technology and Distributed Computing Environment-based applications.
-
Resources on the IBM Network Authentication Service and related technologies for AIX (developerWorks, Dec 2008) points to all essential resources on IBM Kerberos for AIX.
-
AIX and UNIX : Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
-
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Get products and technologies
-
IBM Network Authentication Service for AIX: Download the IBM Network Authentication Service for AIX from IBM AIX Web Download Pack Programs.
-
IBM Network Authentication Service for Linux,Solaris: Download the IBM Network Authentication Service for Linux,Solaris from here.
-
IBM GUI-based Administration Tool for Network Authentication Service: Experience the GUI to perform the IBM NAS related administration tasks. Download from the IBM alphaWorks today.
-
AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
Discuss
-
Participate in the AIX and UNIX forums:
- AIX Forum
- AIX Forum for developers
- Cluster Systems Management
- IBM Support Assistant Forum
- Performance Tools Forum
- Virtualization Forum
- More AIX and UNIX Forums
Sandeep Ramesh Patil is a Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past seven years, focusing on distributed technology including DCE, SARPC, and security products such as the IBM Network Authentication Services (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at sandeep.patil@in.ibm.com.
Comments (Undergoing maintenance)
Table of contents
- Introduction
- Support for the TCP-IP protocol for KDC on AIX
- Granular control over the Kerberos authentication ticket lifetime
- Post run scripts for credential-based commands
- Securing LDAP bind password in the IBM NAS-LDAP setup
- Circular logging for IBM Network Authentication Service daemons
- Conclusion
- Resources
- About the author
- Comments
Local resources
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
