Set up Kerberos Version 5 KDC to use AES encryption

Learn how to set up a Key Distribution Center (KDC) to use Advanced Encryption Standard (AES) encryption to secure tickets. Developers use KDC in systems to control the permission for users to access certain services. The KDC uses tickets as a means to flag permission for accessing a particular service, or for authenticating users and providers of services.

Share:

Shahid Shaikh (shahid.shaikh@in.ibm.com), System Software Engineer, IBM

Photo of Shahid ShaikhShahid Shaikh works as a System Software Engineer with IBM India Systems and Technology Labs. He has more than two years of experience, and he is currently developing security and deployment related new features for NFSv4. He holds a bachelor's degree in computer science and engineering. You can reach him at shahid.shaikh@in.ibm.com.



03 April 2007

Introduction

You can use Kerberos to verify the identities of users and principals over networks. There are two types of tickets to use in this process: a ticket granting ticket and a service ticket. A ticket granting ticket authenticates you to request service tickets. A server provides requests for service tickets to access an actual service. The Key Distribution Center (KDC) is used as a trusted third party that issues these tickets.

The tickets are encrypted so that only principals with valid private keys, or the KDC with the entire Kerberos database of principal names, their private keys, and their expiration, can decrypt them.

There are three encryption types available to use with the Kerberos Version 5 KDC:

  • Data Encryption Standard (DES)
  • Triple DES
  • Advanced Encryption Standard (AES)

AES is now the most advanced and recommended encryption type for secure communication, so this article concentrates on setting up the KDC to use AES.

Prerequisites

To follow along with the examples in this article, you need AIX® 5.3H® (or higher) machines configured with IBM Network Authentication Services (NAS) Version 1.4 (or higher) file sets.

Setting up the KDC server

First, verify the installation of IBM NAS file sets (see Listing 1).

Listing 1. Verification of IBM NAS file sets
# lslpp -l |grep krb5                                                    
     krb5.client.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.client.samples        1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.lic                   1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.msg.en_US.client.rte  1.4.0.4  COMMITTED  Network Auth Service    
   Client                                                                   
     krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.toolkit.adt           1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.client.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service

The next step is to do the Kerberos server setup. Important parameters to consider here are: realm name (-r), domain name (-d), and a fully qualified Kerberos administration server (see Listing 2).

Listing 2. Kerberos server setup
# mkkrb5srv -r REALM1.IBM.COM -d in.ibm.com -s adfsaix5.in.ibm.com
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication Service
                                                 Server

Path: /etc/objrepos
  krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication Service
                                                 Server
The -s option is not supported.
The administration server will be the local host.
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
Creating /var/krb5/krb5kdc/kdc.conf...
Creating database files...
Initializing database '/var/krb5/krb5kdc/principal' for realm 'REALM1.IBM.COM'
master key name 'K/M@REALM1.IBM.COM'
You are prompted for the database Master Password.
It is important that you DO NOT FORGET this password.
Enter database Master Password:
Re-enter database Master Password to verify:
WARNING: no policy specified for admin/admin@REALM1.IBM.COM;
  defaulting to no policy. Note that policy may be overridden by
  ACL restrictions.
Enter password for principal "admin/admin@REALM1.IBM.COM":
Re-enter password for principal "admin/admin@REALM1.IBM.COM":
Principal "admin/admin@REALM1.IBM.COM" created.
Creating keytable...
Creating /var/krb5/krb5kdc/kadm5.acl...
Starting krb5kdc...
krb5kdc was started successfully.
Starting kadmind...
kadmind was started successfully.
The command completed successfully.
Restarting kadmind and krb5kdc

While running this command, the system asks for a master database password and a password for the administrative principal called admin. Record the name and chosen password in a secure place, as these principals are essential for your NAS environment.

The mkkrb5srv command configures the Kerberos server, creates the kadm5.acl, krb5.conf, and kdc.conf files, and creates the Kerberos database. It also adds the administrator to the database and updates the /etc/inittab file with Kerberos daemons. This command does the initial configuration once the variables are set.

The following two lines are also added automatically in the /etc/inittab file to start the KDC server after system reboot (see Listing 3).

Listing 3. Starting the KDC server
# lsitab krb5kdc
krb5kdc:2:once:/usr/krb5/sbin/krb5kdc
# lsitab kadm
kadm:2:once:/usr/krb5/sbin/kadmind

For more detailed information, refer to the mkkrb5srv man page.

To do basic verification of the KDC server, see Listing 4 below.

Listing 4. Verifying the KDC server
# ps -ef |grep krb |grep -v grep
root 299160 1 0 18:20:51 - 0:00 /usr/krb5/sbin/krb5kdc
root 315554 1 0 18:20:51 - 0:00 /usr/krb5/sbin/kadmind
#
# kinit admin/admin
Password for admin/admin@REALM1.IBM.COM:
# klist -e
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  admin/admin@REALM1.IBM.COM

Valid starting     Expires            Service principal
02/22/07 04:35:14  02/23/07 04:35:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
Etype (skey, tkt):  Triple DES cbc mode with HMAC/sha1, \
   Triple DES cbc mode with HMAC/sha1

The krb5.conf file gets created with default values. Of these default values, your interest should be in the values set for the default_tkt_enctypes and default_tgs_enctypes parameters. The default_tkt_enctypes lists combinations of the encryption type, such as checksum, available for service tickets encryption and hashing. Of the values in this list, the first value is the default of des3-cbc-sha1. Similarly, default_tgs_enctypes lists for ticket granting tickets. Again, the default encryption type used here is des3-cbc-sha1.

To make the Kerberos server use AES instead of the default value (des3-cbc-sha1), implement the following steps:

  1. Edit the /etc/krb5/krb5.conf file to make AES encryption type (aes256-cts) the first entry in the default_tkt_enctypes and default_tgs_enctypes lists (see Listings 5 and 6).
    Listing 5. Before editing
    # cat /etc/krb5/krb5.conf
    [libdefaults]
          default_realm = \
       REALM1.IBM.COM
          default_keytab_name = \
       FILE:/etc/krb5/krb5.keytab
          default_tkt_enctypes = \
       des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
          default_tgs_enctypes = \
       des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
    
    [realms]
            REALM1.IBM.COM = {
                    kdc = adfsaix5.in.ibm.com:88
                    admin_server = adfsaix5.in.ibm.com:749
                    default_domain = in.ibm.com
            }
    
    [domain_realm]
            .in.ibm.com = REALM1.IBM.COM
            adfsaix5.in.ibm.com = REALM1.IBM.COM
    
    [logging]
            kdc = FILE:/var/krb5/log/krb5kdc.log
            admin_server = FILE:/var/krb5/log/kadmin.log
            default = FILE:/var/krb5/log/krb5lib.log
    Listing 6. After editing
    # cat /etc/krb5/krb5.conf
    [libdefaults]
          default_realm = REALM1.IBM.COM
          default_keytab_name = FILE:/etc/krb5/krb5.keytab
          default_tkt_enctypes = \
       aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
          default_tgs_enctypes = \
       aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
    
    [realms]
            REALM1.IBM.COM = {
                    kdc = adfsaix5.in.ibm.com:88
                    admin_server = adfsaix5.in.ibm.com:749
                    default_domain = in.ibm.com
            }
    
    [domain_realm]
            .in.ibm.com = REALM1.IBM.COM
            adfsaix5.in.ibm.com = REALM1.IBM.COM
    
    [logging]
            kdc = FILE:/var/krb5/log/krb5kdc.log
            admin_server = FILE:/var/krb5/log/kadmin.log
            default = FILE:/var/krb5/log/krb5lib.log
  2. Delete the already created admin and ticket principals with the default encryption type using the kadmin.local interface on the KDC server (see Listing 7).
    Listing 7. Deleting the default encryption type on the KDC server
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    kadmin.local:  delprinc krbtgt/REALM1.IBM.COM
    Are you sure you want to delete the principal 
    "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM"? (yes/no):  y
    Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" deleted.
    Make sure that you have removed this principal from all ACLs before reusing.
    kadmin.local:  delprinc admin/admin
    Are you sure you want to delete the principal \
        "admin/admin@REALM1.IBM.COM"? (yes/no):  y
    Principal "admin/admin@REALM1.IBM.COM" deleted.
    Make sure that you have removed this principal from all ACLs before reusing.
  3. Create new principals for each admin and tgt principal with the encryption type of aes256-cts, as show in Listing 8.
    Listing 8. Creating new principals
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    kadmin.local:  ank -e aes256-cts:normal admin/admin
    WARNING: no policy specified for admin/admin@REALM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Enter password for principal "admin/admin@REALM1.IBM.COM":
    Re-enter password for principal "admin/admin@REALM1.IBM.COM":
    Principal "admin/admin@REALM1.IBM.COM" created.
    kadmin.local:  ank -e aes256-cts:normal krbtgt/REALM1.IBM.COM
    WARNING: no policy specified for krbtgt/REALM1.IBM.COM@REALM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM":
    Re-enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM":
    Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" created.
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
  4. Check whether admin and tgt principals have been created with aes256-cts as the encryption type, as shown in Listing 9 below.
    Listing 9. Verifying the new principals
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    kadmin.local:  getprinc admin/admin
    Principal: admin/admin@REALM1.IBM.COM
    Expiration date: [never]
    Last password change:  Thu Feb 22 04:38:36 PAKST 2007
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Thu Feb 22 04:38:36 PAKST 2007 (admin/admin@REALM1.IBM.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 1
    Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
    no salt
    
    Attributes:
     REQUIRES_PRE_AUTH
    Policy: [none]
    kadmin.local:  getprinc krbtgt/REALM1.IBM.COM
    Principal: krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    Expiration date: [never]
    Last password change:  Thu Feb 22 04:39:04 PAKST 2007
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Thu Feb 22 04:39:04 PAKST 2007 (admin/admin@REALM1.IBM.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 1
    Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
    no salt
    
    Attributes:
     REQUIRES_PRE_AUTH
    Policy: [none]
  5. Destroy old credentials with the kdestroy command, as shown in Listing 10.
    Listing 10. Destroy old credentials
    # kdestroy
    # klist
    Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0).
            Status 0x96c73ac3 - No credentials cache found.
  6. Obtain new credentials to verify the change in encryption type, as shown in Listing 11.
    Listing 11. Obtain new credentials
    # kinit admin/admin
    Password for admin/admin@REALM1.IBM.COM:
    # klist -e
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  admin/admin@REALM1.IBM.COM
    
    Valid starting     Expires            Service principal
    02/22/07 04:41:14  02/23/07 04:41:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
            Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
    			AES-256 CTS mode with 96-bit SHA-1 HMAC
  7. Similarly, add a new service and user principals as required with the aes256-cts encryption type. (You might need to add service and user principals in keytab files with the ktadd command.) An example of adding a user and a service principal is shown in Listing 12 below.
    Listing 12. Adding a user and service principal
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REAM1.IBM.COM
    kadmin/admin@REAM1.IBM.COM
    kadmin/changepw@REAM1.IBM.COM
    kadmin/history@REAM1.IBM.COM
    krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
    admin/admin@REAM1.IBM.COM
    kadmin.local:  ank -e aes256-cts:normal -randkey groupy
    WARNING: no policy specified for groupy@REAM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Principal "groupy@REAM1.IBM.COM" created.
    kadmin.local:  ktadd -e aes256-cts:normal groupy
    Entry for principal groupy with kvno 3, encryption type AES-256 CTS mode with 
    96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.

To verify a successful addition of principal in the keytab file, as shown in Listing 13 below.

Listing 13. Verifying the user and service principal
# kinit -kt /etc/krb5/krb5.keytab groupy
# klist -e
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  groupy@REAM1.IBM.COM

Valid starting     Expires            Service principal
02/22/07 04:42:35  02/23/07 04:42:35  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
        Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
        	AES-256 CTS mode with 96-bit SHA-1 HMAC

Setting up the KDC client

To set up the KDC client, use the following steps:

  1. Install the NAS file set from the AIX 5.3 Expansion CD. After installing the NAS client file sets, configure the Kerberos client using the mkkrb5clnt command. Take care to provide the proper KDC server and kdamin server names, as shown in Listing 14 below.
    Listing 14. Configuring the Kerberos client
    # mkkrb5clnt -d in.ibm.com -r REALM1.IBM.COM -c adfsaix5.in.ibm.com \
        -s adfsaix5.in.ibm.com
    Initializing configuration...
    Creating /etc/krb5/krb5_cfg_type...
    Creating /etc/krb5/krb5.conf...
    The command completed successfully.

    For a detailed description, see the mkkrb5clnt man page.

  2. Verify that the client can communicate with the KDC server, as shown in Listing 15 below.
    Listing 15. Verifying client communication
    # kinit admin/admin
    Password for admin/admin@REALM1.IBM.COM:
    #
    # klist -e
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  admin/admin@REALM1.IBM.COM
    
    Valid starting     Expires            Service principal
    02/22/07 04:43:14  02/23/07 04:43:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
            Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
    			AES-256 CTS mode with 96-bit SHA-1 HMAC
  3. Add new service and user principals with the aes256-cts encryption type, per the requirement. (You might need to add service and user principals in keytab files with the ktadd command.)

To add all the required service and user principals on the KDC server, create the keytab file on the server and FTP it to all the clients.

Summary

This article showed you how to configure the IBM NAS 1.4, which acts as the KDC, to use AES as the encryption type. The article also presented information that you can use for IBM NAS 1.4 as the KDC server, for example, NFS, with secure communication, and so on.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=206227
ArticleTitle=Set up Kerberos Version 5 KDC to use AES encryption
publish-date=04032007