![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
You can use Kerberos to verify the identities of users and principals over networks. There are two types of tickets to use in this process: a ticket granting ticket and a service ticket. A ticket granting ticket authenticates you to request service tickets. A server provides requests for service tickets to access an actual service. The Key Distribution Center (KDC) is used as a trusted third party that issues these tickets.
The tickets are encrypted so that only principals with valid private keys, or the KDC with the entire Kerberos database of principal names, their private keys, and their expiration, can decrypt them.
There are three encryption types available to use with the Kerberos Version 5 KDC:
- Data Encryption Standard (DES)
- Triple DES
- Advanced Encryption Standard (AES)
AES is now the most advanced and recommended encryption type for secure communication, so this article concentrates on setting up the KDC to use AES.
To follow along with the examples in this article, you need AIX® 5.3H® (or higher) machines configured with IBM Network Authentication Services (NAS) Version 1.4 (or higher) file sets.
First, verify the installation of IBM NAS file sets (see Listing 1).
Listing 1. Verification of IBM NAS file sets
# lslpp -l |grep krb5
krb5.client.rte 1.4.0.4 COMMITTED Network Authentication
Service
krb5.client.samples 1.4.0.4 COMMITTED Network Authentication
Service
krb5.lic 1.4.0.4 COMMITTED Network Authentication
Service
krb5.msg.en_US.client.rte 1.4.0.4 COMMITTED Network Auth Service
Client
krb5.server.rte 1.4.0.4 COMMITTED Network Authentication
Service
krb5.toolkit.adt 1.4.0.4 COMMITTED Network Authentication
Service
krb5.client.rte 1.4.0.4 COMMITTED Network Authentication
Service
krb5.server.rte 1.4.0.4 COMMITTED Network Authentication
Service
|
The next step is to do the Kerberos server setup. Important parameters to
consider here are: realm name (-r), domain name
(-d), and a fully qualified Kerberos administration
server (see Listing 2).
Listing 2. Kerberos server setup
# mkkrb5srv -r REALM1.IBM.COM -d in.ibm.com -s adfsaix5.in.ibm.com
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
krb5.server.rte 1.4.0.4 COMMITTED Network Authentication Service
Server
Path: /etc/objrepos
krb5.server.rte 1.4.0.4 COMMITTED Network Authentication Service
Server
The -s option is not supported.
The administration server will be the local host.
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
Creating /var/krb5/krb5kdc/kdc.conf...
Creating database files...
Initializing database '/var/krb5/krb5kdc/principal' for realm 'REALM1.IBM.COM'
master key name 'K/M@REALM1.IBM.COM'
You are prompted for the database Master Password.
It is important that you DO NOT FORGET this password.
Enter database Master Password:
Re-enter database Master Password to verify:
WARNING: no policy specified for admin/admin@REALM1.IBM.COM;
defaulting to no policy. Note that policy may be overridden by
ACL restrictions.
Enter password for principal "admin/admin@REALM1.IBM.COM":
Re-enter password for principal "admin/admin@REALM1.IBM.COM":
Principal "admin/admin@REALM1.IBM.COM" created.
Creating keytable...
Creating /var/krb5/krb5kdc/kadm5.acl...
Starting krb5kdc...
krb5kdc was started successfully.
Starting kadmind...
kadmind was started successfully.
The command completed successfully.
Restarting kadmind and krb5kdc
|
While running this command, the system asks for a master database password and a password for the administrative principal called admin. Record the name and chosen password in a secure place, as these principals are essential for your NAS environment.
The mkkrb5srv command configures the Kerberos server,
creates the kadm5.acl, krb5.conf, and kdc.conf files, and creates the Kerberos
database. It also adds the administrator to the database and updates the
/etc/inittab file with Kerberos daemons. This command does the initial
configuration once the variables are set.
The following two lines are also added automatically in the /etc/inittab file to start the KDC server after system reboot (see Listing 3).
Listing 3. Starting the KDC server
# lsitab krb5kdc krb5kdc:2:once:/usr/krb5/sbin/krb5kdc # lsitab kadm kadm:2:once:/usr/krb5/sbin/kadmind |
For more detailed information, refer to the mkkrb5srv
man page.
To do basic verification of the KDC server, see Listing 4 below.
Listing 4. Verifying the KDC server
# ps -ef |grep krb |grep -v grep root 299160 1 0 18:20:51 - 0:00 /usr/krb5/sbin/krb5kdc root 315554 1 0 18:20:51 - 0:00 /usr/krb5/sbin/kadmind # # kinit admin/admin Password for admin/admin@REALM1.IBM.COM: # klist -e Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: admin/admin@REALM1.IBM.COM Valid starting Expires Service principal 02/22/07 04:35:14 02/23/07 04:35:14 krbtgt/REAM1.IBM.COM@REAM1.IBM.COM Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, \ Triple DES cbc mode with HMAC/sha1 |
The krb5.conf file gets created with default values. Of these default values,
your interest should be in the values set for the
default_tkt_enctypes and
default_tgs_enctypes parameters. The
default_tkt_enctypes lists combinations of the
encryption type, such as checksum, available for service tickets encryption and
hashing. Of the values in this list, the first value is the default of
des3-cbc-sha1. Similarly, default_tgs_enctypes lists
for ticket granting tickets. Again, the default encryption type used here is
des3-cbc-sha1.
To make the Kerberos server use AES instead of the default value (des3-cbc-sha1), implement the following steps:
- Edit the /etc/krb5/krb5.conf file to make AES encryption type (aes256-cts) the
first entry in the
default_tkt_enctypesanddefault_tgs_enctypeslists (see Listings 5 and 6).
Listing 5. Before editing# cat /etc/krb5/krb5.conf [libdefaults] default_realm = \ REALM1.IBM.COM default_keytab_name = \ FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = \ des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc default_tgs_enctypes = \ des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc [realms] REALM1.IBM.COM = { kdc = adfsaix5.in.ibm.com:88 admin_server = adfsaix5.in.ibm.com:749 default_domain = in.ibm.com } [domain_realm] .in.ibm.com = REALM1.IBM.COM adfsaix5.in.ibm.com = REALM1.IBM.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log
Listing 6. After editing# cat /etc/krb5/krb5.conf [libdefaults] default_realm = REALM1.IBM.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = \ aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc default_tgs_enctypes = \ aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc [realms] REALM1.IBM.COM = { kdc = adfsaix5.in.ibm.com:88 admin_server = adfsaix5.in.ibm.com:749 default_domain = in.ibm.com } [domain_realm] .in.ibm.com = REALM1.IBM.COM adfsaix5.in.ibm.com = REALM1.IBM.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log - Delete the already created admin and ticket principals with the default
encryption type using the kadmin.local interface on the KDC server (see
Listing
7).
Listing 7. Deleting the default encryption type on the KDC server# kadmin.local kadmin.local: listprincs K/M@REALM1.IBM.COM admin/admin@REALM1.IBM.COM kadmin/admin@REALM1.IBM.COM kadmin/changepw@REALM1.IBM.COM kadmin/history@REALM1.IBM.COM krbtgt/REALM1.IBM.COM@REALM1.IBM.COM kadmin.local: delprinc krbtgt/REALM1.IBM.COM Are you sure you want to delete the principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM"? (yes/no): y Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin.local: delprinc admin/admin Are you sure you want to delete the principal \ "admin/admin@REALM1.IBM.COM"? (yes/no): y Principal "admin/admin@REALM1.IBM.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. - Create new principals for each admin and tgt principal with the encryption
type of aes256-cts, as show in Listing 8.
Listing 8. Creating new principals# kadmin.local kadmin.local: listprincs K/M@REALM1.IBM.COM kadmin/admin@REALM1.IBM.COM kadmin/changepw@REALM1.IBM.COM kadmin/history@REALM1.IBM.COM kadmin.local: ank -e aes256-cts:normal admin/admin WARNING: no policy specified for admin/admin@REALM1.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "admin/admin@REALM1.IBM.COM": Re-enter password for principal "admin/admin@REALM1.IBM.COM": Principal "admin/admin@REALM1.IBM.COM" created. kadmin.local: ank -e aes256-cts:normal krbtgt/REALM1.IBM.COM WARNING: no policy specified for krbtgt/REALM1.IBM.COM@REALM1.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM": Re-enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM": Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" created. kadmin.local: listprincs K/M@REALM1.IBM.COM admin/admin@REALM1.IBM.COM kadmin/admin@REALM1.IBM.COM kadmin/changepw@REALM1.IBM.COM kadmin/history@REALM1.IBM.COM krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
- Check whether admin and tgt principals have been created with aes256-cts as
the encryption type, as shown in Listing 9 below.
Listing 9. Verifying the new principals# kadmin.local kadmin.local: listprincs K/M@REALM1.IBM.COM admin/admin@REALM1.IBM.COM kadmin/admin@REALM1.IBM.COM kadmin/changepw@REALM1.IBM.COM kadmin/history@REALM1.IBM.COM krbtgt/REALM1.IBM.COM@REALM1.IBM.COM kadmin.local: getprinc admin/admin Principal: admin/admin@REALM1.IBM.COM Expiration date: [never] Last password change: Thu Feb 22 04:38:36 PAKST 2007 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Feb 22 04:38:36 PAKST 2007 (admin/admin@REALM1.IBM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin.local: getprinc krbtgt/REALM1.IBM.COM Principal: krbtgt/REALM1.IBM.COM@REALM1.IBM.COM Expiration date: [never] Last password change: Thu Feb 22 04:39:04 PAKST 2007 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Feb 22 04:39:04 PAKST 2007 (admin/admin@REALM1.IBM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none]
- Destroy old credentials with the
kdestroycommand, as shown in Listing 10.
Listing 10. Destroy old credentials# kdestroy # klist Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0). Status 0x96c73ac3 - No credentials cache found. - Obtain new credentials to verify the change in encryption type, as shown in
Listing 11.
Listing 11. Obtain new credentials# kinit admin/admin Password for admin/admin@REALM1.IBM.COM: # klist -e Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: admin/admin@REALM1.IBM.COM Valid starting Expires Service principal 02/22/07 04:41:14 02/23/07 04:41:14 krbtgt/REAM1.IBM.COM@REAM1.IBM.COM Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC - Similarly, add a new service and user principals as required with the
aes256-cts encryption type. (You might need to add service and user principals
in keytab files with the
ktaddcommand.) An example of adding a user and a service principal is shown in Listing 12 below.
Listing 12. Adding a user and service principal# kadmin.local kadmin.local: listprincs K/M@REAM1.IBM.COM kadmin/admin@REAM1.IBM.COM kadmin/changepw@REAM1.IBM.COM kadmin/history@REAM1.IBM.COM krbtgt/REAM1.IBM.COM@REAM1.IBM.COM admin/admin@REAM1.IBM.COM kadmin.local: ank -e aes256-cts:normal -randkey groupy WARNING: no policy specified for groupy@REAM1.IBM.COM; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Principal "groupy@REAM1.IBM.COM" created. kadmin.local: ktadd -e aes256-cts:normal groupy Entry for principal groupy with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
To verify a successful addition of principal in the keytab file, as shown in Listing 13 below.
Listing 13. Verifying the user and service principal
# kinit -kt /etc/krb5/krb5.keytab groupy
# klist -e
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: groupy@REAM1.IBM.COM
Valid starting Expires Service principal
02/22/07 04:42:35 02/23/07 04:42:35 krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC,
AES-256 CTS mode with 96-bit SHA-1 HMAC
|
To set up the KDC client, use the following steps:
- Install the NAS file set from the AIX 5.3 Expansion CD. After installing the
NAS client file sets, configure the Kerberos client using the
mkkrb5clntcommand. Take care to provide the proper KDC server and kdamin server names, as shown in Listing 14 below.
Listing 14. Configuring the Kerberos client# mkkrb5clnt -d in.ibm.com -r REALM1.IBM.COM -c adfsaix5.in.ibm.com \ -s adfsaix5.in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... The command completed successfully.For a detailed description, see the
mkkrb5clntman page. - Verify that the client can communicate with the KDC server, as shown in
Listing 15 below.
Listing 15. Verifying client communication# kinit admin/admin Password for admin/admin@REALM1.IBM.COM: # # klist -e Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: admin/admin@REALM1.IBM.COM Valid starting Expires Service principal 02/22/07 04:43:14 02/23/07 04:43:14 krbtgt/REAM1.IBM.COM@REAM1.IBM.COM Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC - Add new service and user principals with the aes256-cts encryption type, per
the requirement. (You might need to add service and user principals in keytab
files with the
ktaddcommand.)
To add all the required service and user principals on the KDC server, create the keytab file on the server and FTP it to all the clients.
This article showed you how to configure the IBM NAS 1.4, which acts as the KDC, to use AES as the encryption type. The article also presented information that you can use for IBM NAS 1.4 as the KDC server, for example, NFS, with secure communication, and so on.
Learn
- IBM Redbooks: Read
Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3 for a broad understanding of NFSv4 and specific AIX NFSv4
implementation details.
- Configuring AIX 5L for Kerberos Based Authentication Using Windows Kerberos Service:
This white paper describes how to use Kerberos as an alternative authentication
mechanism to AIX using Windows 2000/2003 server Kerberos Service.
- Get the latest version of OpenSSH for AIX
(developerWorks, Feb 2006): Learn details about the installation and configuration
of OpenSSH on AIX.
-
"A Kerberos primer"
(developerWorks, Nov 2001): Learn about Kerberos and some of its features.
- AIX and
UNIX®:
The AIX and UNIX developerWorks zone provides a wealth of information relating to
all aspects of AIX systems administration and expanding your UNIX skills.
- New to AIX and UNIX?:
Visit the New to AIX and UNIX page to learn more about AIX and UNIX.
- AIX 5L™ Wiki:
A collaborative environment for technical information related to AIX.
- Check out other articles and tutorials written
by Shahid Shaikh:
- Search the AIX and UNIX library by topic:
- System administration
- Application development
- Performance
- Porting
- Security
- Tips
- Tools and utilities
- Java™ technology
- Linux®
- Open source
- Safari bookstore:
Visit this e-reference library to find specific technical resources.
Get products and technologies
- AIX 5L Expansion Pack and Web Download Pack:
Start downloading now.
- IBM trial software:
Build your next development project with software for download directly from
developerWorks.
Discuss
- Participate in the
developerWorks blogs
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
- AIX 5L -- technical forum
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools -- technical
- Virtualization -- technical
- More AIX and UNIX forums
Shahid Shaikh works as a System Software Engineer with IBM India Systems and Technology Labs. He has more than two years of experience, and he is currently developing security and deployment related new features for NFSv4. He holds a bachelor's degree in computer science and engineering. You can reach him at shahid.shaikh@in.ibm.com.
