KDC Configuration

View the key distribution center (KDC) servers that are used by this HMC for Kerberos remote authentication.

From this task you can do the following:
  • View existing KDC servers
  • Modify existing KDC server parameters including realm, ticket lifetime, and clock skew
  • Add and configure a KDC server on the HMC
  • Remove a KDC server
  • Import a service key
  • Remove a service key

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the KDC. The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity.

The tickets have a time availability period. Kerberos requires the clocks of the involved hosts to be synchronized. If the HMC clock is not synchronized with the clock of KDC server, authentication will fail.

A Kerberos realm is an administrative domain, site, or logical network that uses Kerberos remote authentication. Each realm uses a master Kerberos database that is stored on a KDC server and that contains information about the users and services for that realm. A realm might also have one or more slave KDC servers, which store read-only copies of the master Kerberos database for that realm.

To prevent KDC spoofing, the HMC can be configured to use a service key to authenticate to the KDC. Service key files are also known as keytabs. Kerberos verifies the TGT requested was issued by the same KDC that issued the service key file for the HMC. Before you can import a service key file into an HMC, you must generate a service key for the host principal of the HMC client.

Note: For MIT Kerberos V5 *nix distributions, create a service key file by running the kadmin utility on a KDC and using the ktadd command. Other Kerberos implementations may require a different process to create a service key.

You can import a service key file from one of these sources:
  • Removable media that is currently mounted to the HMC, such as optical discs or USB Mass Storage devices. You must use this option locally at the HMC (not remotely), and you must mount the removable media to the HMC before using this option.
  • A remote site using secure FTP. You can import a service-key file from any remote site that has SSH installed and running.
To use Kerberos remote authentication for this HMC, complete the following:
  • You must enable the Network Time Protocol (NTP) service on the HMC and set the HMC and the KDC servers to synchronize time with the same NTP server. You can enable the NTP service on the HMC by accessing the Change Date and Time task under HMC Management.
  • You must set the user profile of each remote user to use Kerberos remote authentication instead of local authentication. A user that is set to use Kerberos remote authentication will always use Kerberos remote authentication, even when the user logs onto the HMC locally.
    Note: You do not need to set all users to use Kerberos remote authentication. You can set some user profiles so that the users can use local authentication only.
  • Use of a service key file is optional. Before using a service key file, you must import it into the HMC. If a service key is installed on the HMC, realm names must be equivalent to the network domain name. The following is an example of creating the service key file on a Kerberos server using the kadmin.local command assuming the HMC hostname is hmc1, the DNS domain is example.com, and the Kerberos realm name is EXAMPLE.COM:
    • # kadmin_local kadmin.local: ktadd -k /etc/krb5.keytab host/hmc1.example.com@EXAMPLE.COM
    Using the Kerberos ktutil on the Kerberos server, verify the service key file contents. The output should look like the following:

    • # ktutil

      ktutil: rkt /etc/krb5.keytab

      ktutil: l

      slot KVNO Principal

      ---- ---- ---------------------------------------------------------------------

      1 9 host/hmc1.example.com@EXAMPLE.COM

      2 9 host/hmc1.example.com@EXAMPLE.COM

  • The HMC Kerberos configuration can be modified for SSH (Secure Shell) login without a password using GSSAPI. For remote login without a password through Kerberos to an HMC, configure the HMC to use a service key. Once the configuration is completed use kinit -f principal to obtain forwardable credentials on a remote Kerberos client machine. Then issue the following command to log in to the HMC without having to enter a password: $ ssh -o PreferredAuthentications=gssapi-with-mic user@host
Parent topic: HMC Management - Administration


Last updated: Fri, December 06, 2019