KDC

View the key distribution center (KDC) servers that are used by this Hardware Management Console (HMC) for Kerberos remote authentication.

From this task, you can complete the following tasks:
  • View existing KDC servers.
  • Modify existing KDC server parameters that include realm, ticket lifetime, and clock skew.
  • Add and configure a KDC server on the HMC.
  • Remove a KDC server.
  • Import a service key.
  • Remove a service key.

Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications by using secret-key cryptography.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the KDC. The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, by using its password. If the client successfully decrypts the TGT (for example, if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity.

The tickets have a time availability period. Kerberos requires the clocks of the involved hosts to be synchronized. If the HMC clock is not synchronized with the clock of KDC server, authentication fails.

A Kerberos realm is an administrative domain, site, or logical network that uses Kerberos remote authentication. Each realm uses a primary Kerberos database that is stored on a KDC server and that contains information about the users and services for that realm. A realm might also have one or more secondary KDC servers that store read-only copies of the primary Kerberos database for that realm.

To prevent KDC spoofing, the HMC can be configured to use a service key to authenticate to the KDC. Service key files are also known as keytabs. Kerberos verifies that the TGT requested was issued by the same KDC that issued the service key file for the HMC. Before you can import a service key file into an HMC, you must generate a service key for the host principal of the HMC client.

Note: For MIT Kerberos V5 *nix distributions, create a service key file by running the kadmin utility on a KDC and by using the ktadd command. Other Kerberos implementations might require a different process to create a service key.
You can import a service key file from one of these sources:
  • Removable media that is mounted to the HMC, such as optical discs or USB Mass Storage devices. You must use this option locally at the HMC (not remotely), and you must mount the removable media to the HMC before you use this option.
  • A remote site that uses secure FTP. You can import a service-key file from any remote site with SSH installed and running.
To use Kerberos remote authentication for this HMC, complete the following tasks:
  • You must enable the Network Time Protocol (NTP) service on the HMC and set the HMC and the KDC servers to synchronize time with the same NTP server. You can enable the NTP service on the HMC by accessing the Date and time task from HMC management, and then selecting HMC settings.
  • You must set the user profile of each remote user to use Kerberos remote authentication instead of local authentication. A user that is set to use Kerberos remote authentication always uses Kerberos remote authentication, even when the user logs on to the HMC locally.
    Note: You do not need to set all users to use Kerberos remote authentication. You can set some user profiles so that the users can use local authentication only.
  • Use of a service key file is optional. Before you use a service key file, you must import it into the HMC. If a service key is installed on the HMC, realm names must be equivalent to the network domain name. The following example shows how to create the service key file on a Kerberos server by using the kadmin.local command, assuming the HMC hostname is hmc1, the DNS domain is example.com, and the Kerberos realm name is EXAMPLE.COM:
    • # kadmin_local kadmin.local: ktadd -k /etc/krb5.keytab host/hmc1.example.com@EXAMPLE.COM
    Using the Kerberos ktutil on the Kerberos server, verify the service key file contents. The output looks like the following example:

    • # ktutil

      ktutil: rkt /etc/krb5.keytab

      ktutil: l

      slot KVNO Principal

      ---- ---- ---------------------------------------------------------------------

      1 9 host/hmc1.example.com@EXAMPLE.COM

      2 9 host/hmc1.example.com@EXAMPLE.COM

  • The HMC Kerberos configuration can be modified for SSH (Secure Shell) login without a password by using GSSAPI. For remote login without a password through Kerberos to an HMC, configure the HMC to use a service key. After the configuration is completed, use kinit -f principal to obtain forwardable credentials on a remote Kerberos client machine. You can then enter the following command to log in to the HMC without having to enter a password: $ ssh -o PreferredAuthentications=gssapi-with-mic user@host.

To manage the KDC, complete the following steps:

  1. In the navigation area, click User management, and then select KDC.
  2. From the Manage KDC window, select the appropriate task from the available options under the Actions menu.
  3. When you complete the task, click OK.

Use the online Help if you need additional information for Managing KDC.