Contents


Set up Kerberos Version 5 KDC to use AES encryption

Comments

You can use Kerberos to verify the identities of users and principals over networks. There are two types of tickets to use in this process: a ticket granting ticket and a service ticket. A ticket granting ticket authenticates you to request service tickets. A server provides requests for service tickets to access an actual service. The Key Distribution Center (KDC) is used as a trusted third party that issues these tickets.

The tickets are encrypted so that only principals with valid private keys, or the KDC with the entire Kerberos database of principal names, their private keys, and their expiration, can decrypt them.

There are three encryption types available to use with the Kerberos Version 5 KDC:

  • Data Encryption Standard (DES)
  • Triple DES
  • Advanced Encryption Standard (AES)

AES is now the most advanced and recommended encryption type for secure communication, so this article concentrates on setting up the KDC to use AES.

Prerequisites

To follow along with the examples in this article, you need AIX® 5.3H® (or higher) machines configured with IBM Network Authentication Services (NAS) Version 1.4 (or higher) file sets.

Setting up the KDC server

First, verify the installation of IBM NAS file sets (see Listing 1).

Listing 1. Verification of IBM NAS file sets
# lslpp -l |grep krb5                                                    
     krb5.client.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.client.samples        1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.lic                   1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.msg.en_US.client.rte  1.4.0.4  COMMITTED  Network Auth Service    
   Client                                                                   
     krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.toolkit.adt           1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.client.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service                                                                  
     krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication  
   Service

The next step is to do the Kerberos server setup. Important parameters to consider here are: realm name (-r), domain name (-d), and a fully qualified Kerberos administration server (see Listing 2).

Listing 2. Kerberos server setup
# mkkrb5srv -r REALM1.IBM.COM -d in.ibm.com -s adfsaix5.in.ibm.com
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication Service
                                                 Server

Path: /etc/objrepos
  krb5.server.rte            1.4.0.4  COMMITTED  Network Authentication Service
                                                 Server
The -s option is not supported.
The administration server will be the local host.
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
Creating /var/krb5/krb5kdc/kdc.conf...
Creating database files...
Initializing database '/var/krb5/krb5kdc/principal' for realm 'REALM1.IBM.COM'
master key name 'K/M@REALM1.IBM.COM'
You are prompted for the database Master Password.
It is important that you DO NOT FORGET this password.
Enter database Master Password:
Re-enter database Master Password to verify:
WARNING: no policy specified for admin/admin@REALM1.IBM.COM;
  defaulting to no policy. Note that policy may be overridden by
  ACL restrictions.
Enter password for principal "admin/admin@REALM1.IBM.COM":
Re-enter password for principal "admin/admin@REALM1.IBM.COM":
Principal "admin/admin@REALM1.IBM.COM" created.
Creating keytable...
Creating /var/krb5/krb5kdc/kadm5.acl...
Starting krb5kdc...
krb5kdc was started successfully.
Starting kadmind...
kadmind was started successfully.
The command completed successfully.
Restarting kadmind and krb5kdc

While running this command, the system asks for a master database password and a password for the administrative principal called admin. Record the name and chosen password in a secure place, as these principals are essential for your NAS environment.

The mkkrb5srv command configures the Kerberos server, creates the kadm5.acl, krb5.conf, and kdc.conf files, and creates the Kerberos database. It also adds the administrator to the database and updates the /etc/inittab file with Kerberos daemons. This command does the initial configuration once the variables are set.

The following two lines are also added automatically in the /etc/inittab file to start the KDC server after system reboot (see Listing 3).

Listing 3. Starting the KDC server
# lsitab krb5kdc
krb5kdc:2:once:/usr/krb5/sbin/krb5kdc
# lsitab kadm
kadm:2:once:/usr/krb5/sbin/kadmind

For more detailed information, refer to the mkkrb5srv man page.

To do basic verification of the KDC server, see Listing 4 below.

Listing 4. Verifying the KDC server
# ps -ef |grep krb |grep -v grep
root 299160 1 0 18:20:51 - 0:00 /usr/krb5/sbin/krb5kdc
root 315554 1 0 18:20:51 - 0:00 /usr/krb5/sbin/kadmind
#
# kinit admin/admin
Password for admin/admin@REALM1.IBM.COM:
# klist -e
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  admin/admin@REALM1.IBM.COM

Valid starting     Expires            Service principal
02/22/07 04:35:14  02/23/07 04:35:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
Etype (skey, tkt):  Triple DES cbc mode with HMAC/sha1, \
   Triple DES cbc mode with HMAC/sha1

The krb5.conf file gets created with default values. Of these default values, your interest should be in the values set for the default_tkt_enctypes and default_tgs_enctypes parameters. The default_tkt_enctypes lists combinations of the encryption type, such as checksum, available for service tickets encryption and hashing. Of the values in this list, the first value is the default of des3-cbc-sha1. Similarly, default_tgs_enctypes lists for ticket granting tickets. Again, the default encryption type used here is des3-cbc-sha1.

To make the Kerberos server use AES instead of the default value (des3-cbc-sha1), implement the following steps:

  1. Edit the /etc/krb5/krb5.conf file to make AES encryption type (aes256-cts) the first entry in the default_tkt_enctypes and default_tgs_enctypes lists (see Listings 5 and 6).
    Listing 5. Before editing
    # cat /etc/krb5/krb5.conf
    [libdefaults]
          default_realm = \
       REALM1.IBM.COM
          default_keytab_name = \
       FILE:/etc/krb5/krb5.keytab
          default_tkt_enctypes = \
       des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
          default_tgs_enctypes = \
       des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
    
    [realms]
            REALM1.IBM.COM = {
                    kdc = adfsaix5.in.ibm.com:88
                    admin_server = adfsaix5.in.ibm.com:749
                    default_domain = in.ibm.com
            }
    
    [domain_realm]
            .in.ibm.com = REALM1.IBM.COM
            adfsaix5.in.ibm.com = REALM1.IBM.COM
    
    [logging]
            kdc = FILE:/var/krb5/log/krb5kdc.log
            admin_server = FILE:/var/krb5/log/kadmin.log
            default = FILE:/var/krb5/log/krb5lib.log
    Listing 6. After editing
    # cat /etc/krb5/krb5.conf
    [libdefaults]
          default_realm = REALM1.IBM.COM
          default_keytab_name = FILE:/etc/krb5/krb5.keytab
          default_tkt_enctypes = \
       aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
          default_tgs_enctypes = \
       aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
    
    [realms]
            REALM1.IBM.COM = {
                    kdc = adfsaix5.in.ibm.com:88
                    admin_server = adfsaix5.in.ibm.com:749
                    default_domain = in.ibm.com
            }
    
    [domain_realm]
            .in.ibm.com = REALM1.IBM.COM
            adfsaix5.in.ibm.com = REALM1.IBM.COM
    
    [logging]
            kdc = FILE:/var/krb5/log/krb5kdc.log
            admin_server = FILE:/var/krb5/log/kadmin.log
            default = FILE:/var/krb5/log/krb5lib.log
  2. Delete the already created admin and ticket principals with the default encryption type using the kadmin.local interface on the KDC server (see Listing 7).
    Listing 7. Deleting the default encryption type on the KDC server
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    kadmin.local:  delprinc krbtgt/REALM1.IBM.COM
    Are you sure you want to delete the principal 
    "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM"? (yes/no):  y
    Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" deleted.
    Make sure that you have removed this principal from all ACLs before reusing.
    kadmin.local:  delprinc admin/admin
    Are you sure you want to delete the principal \
        "admin/admin@REALM1.IBM.COM"? (yes/no):  y
    Principal "admin/admin@REALM1.IBM.COM" deleted.
    Make sure that you have removed this principal from all ACLs before reusing.
  3. Create new principals for each admin and tgt principal with the encryption type of aes256-cts, as show in Listing 8.
    Listing 8. Creating new principals
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    kadmin.local:  ank -e aes256-cts:normal admin/admin
    WARNING: no policy specified for admin/admin@REALM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Enter password for principal "admin/admin@REALM1.IBM.COM":
    Re-enter password for principal "admin/admin@REALM1.IBM.COM":
    Principal "admin/admin@REALM1.IBM.COM" created.
    kadmin.local:  ank -e aes256-cts:normal krbtgt/REALM1.IBM.COM
    WARNING: no policy specified for krbtgt/REALM1.IBM.COM@REALM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM":
    Re-enter password for principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM":
    Principal "krbtgt/REALM1.IBM.COM@REALM1.IBM.COM" created.
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
  4. Check whether admin and tgt principals have been created with aes256-cts as the encryption type, as shown in Listing 9 below.
    Listing 9. Verifying the new principals
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REALM1.IBM.COM
    admin/admin@REALM1.IBM.COM
    kadmin/admin@REALM1.IBM.COM
    kadmin/changepw@REALM1.IBM.COM
    kadmin/history@REALM1.IBM.COM
    krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    kadmin.local:  getprinc admin/admin
    Principal: admin/admin@REALM1.IBM.COM
    Expiration date: [never]
    Last password change:  Thu Feb 22 04:38:36 PAKST 2007
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Thu Feb 22 04:38:36 PAKST 2007 (admin/admin@REALM1.IBM.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 1
    Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
    no salt
    
    Attributes:
     REQUIRES_PRE_AUTH
    Policy: [none]
    kadmin.local:  getprinc krbtgt/REALM1.IBM.COM
    Principal: krbtgt/REALM1.IBM.COM@REALM1.IBM.COM
    Expiration date: [never]
    Last password change:  Thu Feb 22 04:39:04 PAKST 2007
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Thu Feb 22 04:39:04 PAKST 2007 (admin/admin@REALM1.IBM.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 1
    Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
    no salt
    
    Attributes:
     REQUIRES_PRE_AUTH
    Policy: [none]
  5. Destroy old credentials with the kdestroy command, as shown in Listing 10.
    Listing 10. Destroy old credentials
    # kdestroy
    # klist
    Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0).
            Status 0x96c73ac3 - No credentials cache found.
  6. Obtain new credentials to verify the change in encryption type, as shown in Listing 11.
    Listing 11. Obtain new credentials
    # kinit admin/admin
    Password for admin/admin@REALM1.IBM.COM:
    # klist -e
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  admin/admin@REALM1.IBM.COM
    
    Valid starting     Expires            Service principal
    02/22/07 04:41:14  02/23/07 04:41:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
            Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
    			AES-256 CTS mode with 96-bit SHA-1 HMAC
  7. Similarly, add a new service and user principals as required with the aes256-cts encryption type. (You might need to add service and user principals in keytab files with the ktadd command.) An example of adding a user and a service principal is shown in Listing 12 below.
    Listing 12. Adding a user and service principal
    # kadmin.local
    kadmin.local:  listprincs
    K/M@REAM1.IBM.COM
    kadmin/admin@REAM1.IBM.COM
    kadmin/changepw@REAM1.IBM.COM
    kadmin/history@REAM1.IBM.COM
    krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
    admin/admin@REAM1.IBM.COM
    kadmin.local:  ank -e aes256-cts:normal -randkey groupy
    WARNING: no policy specified for groupy@REAM1.IBM.COM;
      defaulting to no policy. Note that policy may be overridden by
      ACL restrictions.
    Principal "groupy@REAM1.IBM.COM" created.
    kadmin.local:  ktadd -e aes256-cts:normal groupy
    Entry for principal groupy with kvno 3, encryption type AES-256 CTS mode with 
    96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.

To verify a successful addition of principal in the keytab file, as shown in Listing 13 below.

Listing 13. Verifying the user and service principal
# kinit -kt /etc/krb5/krb5.keytab groupy
# klist -e
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  groupy@REAM1.IBM.COM

Valid starting     Expires            Service principal
02/22/07 04:42:35  02/23/07 04:42:35  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
        Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
        	AES-256 CTS mode with 96-bit SHA-1 HMAC

Setting up the KDC client

To set up the KDC client, use the following steps:

  1. Install the NAS file set from the AIX 5.3 Expansion CD. After installing the NAS client file sets, configure the Kerberos client using the mkkrb5clnt command. Take care to provide the proper KDC server and kdamin server names, as shown in Listing 14 below.
    Listing 14. Configuring the Kerberos client
    # mkkrb5clnt -d in.ibm.com -r REALM1.IBM.COM -c adfsaix5.in.ibm.com \
        -s adfsaix5.in.ibm.com
    Initializing configuration...
    Creating /etc/krb5/krb5_cfg_type...
    Creating /etc/krb5/krb5.conf...
    The command completed successfully.

    For a detailed description, see the mkkrb5clnt man page.

  2. Verify that the client can communicate with the KDC server, as shown in Listing 15 below.
    Listing 15. Verifying client communication
    # kinit admin/admin
    Password for admin/admin@REALM1.IBM.COM:
    #
    # klist -e
    Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
    Default principal:  admin/admin@REALM1.IBM.COM
    
    Valid starting     Expires            Service principal
    02/22/07 04:43:14  02/23/07 04:43:14  krbtgt/REAM1.IBM.COM@REAM1.IBM.COM
            Etype (skey, tkt):  AES-256 CTS mode with 96-bit SHA-1 HMAC,
    			AES-256 CTS mode with 96-bit SHA-1 HMAC
  3. Add new service and user principals with the aes256-cts encryption type, per the requirement. (You might need to add service and user principals in keytab files with the ktadd command.)

To add all the required service and user principals on the KDC server, create the keytab file on the server and FTP it to all the clients.

Summary

This article showed you how to configure the IBM NAS 1.4, which acts as the KDC, to use AES as the encryption type. The article also presented information that you can use for IBM NAS 1.4 as the KDC server, for example, NFS, with secure communication, and so on.


Downloadable resources


Related topics


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=206227
ArticleTitle=Set up Kerberos Version 5 KDC to use AES encryption
publish-date=04032007