Lines Matching +full:common +full:- +full:password
21 * Password changing::
26 * Credential cache server - KCM::
32 * Setting up PK-INIT::
48 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
51 @samp{@{} as the first non-whitespace character after the equal sign. All
57 a-subsection = @{
59 other-var = value with @{@}
60 sub-sub-section = @{
70 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
71 be @samp{section1/a-subsection/other-var}.
73 For in-depth information about the contents of the configuration file, refer to
106 SRV-record for your realm, or your Kerberos server has DNS CNAME
130 remember this key (or password), but just to enter it once and it will
131 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
137 Verifying password - Master key:
141 @kbd{--random-key} flag to kstash. This will make sure you have a good key
148 @kbd{-l} option (to enable local database mode). First issue a
162 # kadmin -l
170 Password:
171 Verifying password - Password:
179 me@@MY.REALMS's Password:
195 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
196 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
197 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
198 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
210 Both interactive editing and command line flags can be used (use --help
221 Attributes are removed from the list by prefixing them with @samp{-}.
228 Password expiration time [never]:
229 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
233 Attributes: requires-pre-auth
243 YYYY-mm-dd
244 YYYY-mm-dd HH:MM:SS
270 @command{verify_krb5_conf}. The tool checks for common errors, but
276 common configuration error that will cause problems later. Common
281 kadmin -l check REALM.EXAMPLE.ORG
289 (using the @kbd{--random-key} flag to get a random key) and then
293 kadmin> add --random-key host/my.host.name
301 1 des-cbc-md5 host/my.host.name@@MY.REALM
302 1 des-cbc-md4 host/my.host.name@@MY.REALM
303 1 des-cbc-crc host/my.host.name@@MY.REALM
304 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
307 @node Remote administration, Password changing, keytabs, Setting up a realm
316 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
319 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
326 principal [priv1,priv2,...] [glob-pattern]
330 glob-pattern). When there is a match, the access rights of that line are
334 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
339 If a @var{glob-pattern} is given on a line, it restricts the access
355 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
358 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
359 @section Password changing
377 @subsection Password quality assurance
380 to guess them and to avoid off-line attacks (although
381 pre-authentication provides some defence against off-line attacks).
383 password quality controls in @command{kpasswdd} and @command{kadmind}.
391 policies = external-check builtin:minimum-length modulename:policyname
398 @samp{policy_libraries}). All built-in policies can be qualified with
399 a module name of @samp{builtin} to unambiguously specify the built-in
402 The built-in policies are
406 @item external-check
415 new-password: @var{password}
417 where @var{password} is the password to check for the previous
420 If the external application approves the password, it should return
422 doesn't approve the password, an one line error message explaining the
426 error and exit with a non-zero error code.
428 @item minimum-length
430 The minimum length password quality check reads the configuration file
431 stanza @samp{[password_quality]min_length} and requires the password
434 @item character-class
436 The character-class password quality check reads the configuration
438 the password to have characters from at least that many character
446 If you want to write your own shared object to check password
449 Code for a password quality checking function that uses the cracklib
456 @file{lib/kadm5/check-cracklib.pl}.
458 If no password quality checking function is configured, the only check
459 performed is that the password is at least six characters long.
461 To check the password policy settings, use the command
462 @command{verify-password-quality} in @command{kadmin} program. The password
468 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
498 slave# ktutil get -p foo/admin hprop/`hostname`
504 the slaves. This principal should be added when running @kbd{kadmin -l
506 please add it with @kbd{kadmin -l add}.
516 This was just an hands-on example to make sure that everything was
539 Protocol-wise, all the slaves connect to the master and as a greeting
544 also a keep-alive protocol that makes sure all slaves are up and running.
547 slaves, the ipropd-master also listens on a status unix
550 ipropd-master to check for new version in the log file. As a fallback in
556 The program that runs on the master is @command{ipropd-master} and all
557 clients run @command{ipropd-slave}.
566 for some peculiar reason, you can use the @kbd{--port} option. This is
583 The next step is to start the @command{ipropd-master} process on the master
584 server. The @command{ipropd-master} listens on the UNIX domain socket
589 this signal. Then, start @command{ipropd-slave} on all the slaves:
592 master# /usr/heimdal/libexec/ipropd-master &
593 slave# /usr/heimdal/libexec/ipropd-slave master &
596 To manage the iprop log file you should use the @command{iprop-log}
599 @node Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting…
609 Salting is used to make it harder to pre-calculate all possible
611 impossible to pre-calculate all keys. Salting is the process of mixing a
612 public string (the salt) with the password, then sending it through an
613 encryption type specific string-to-key function that will output the
620 (none at all) or the afs-salt (using the cell (realm in
631 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
632 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
633 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
634 salt-string is the string that will be used as salt (remember that if
638 Common types of salting include
641 @item @code{v4} (or @code{des:pw-salt:})
647 @item @code{v5} (or @code{pw-salt})
649 @code{pw-salt} uses the default salt for each encryption type is
653 @item @code{afs3-salt}
655 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
656 the cell name appended to the password.
660 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
661 @section Credential cache server - KCM
683 credentials. @command{klist -l} lists the credentials and the star
688 lha@@KTH.SE's Password:
689 $ klist -l
698 $ kswitch -i
708 $ klist -l
721 -o GSSAPIAuthentication=yes \
722 -o GSSAPIKeyExchange=yes \
723 -o GSSAPIClientIdentity=lha@@KTH.SE \
729 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
770 vr$ telnet -l lha hummel.it.su.se
797 cross-realm trust with every realm to which you wish to authenticate
799 multi-hop cross-realm trust where a client principal in realm A
801 both A and C have cross-realm trust relationships. In this situation,
802 A and C need not set up cross-realm principals between each other.
804 If you want to use cross-realm authentication through an intermediate
814 @subsection Allowing cross-realm transits
817 destination realm adds its peer to the "transited-realms" field in the
819 if one of the transited-realms changed the order of the list. For the
829 CLIENT-REALM = @{
830 SERVER-REALM = PERMITTED-CROSS-REALMS ...
835 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
836 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
837 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
854 The first entry allows cross-realm authentication from clients in
856 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
867 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
870 @subsection Configuring client cross-realm transits
874 their local realm does not have cross-realm trust. This can be done
878 a referral to the client when the client requests a cross-realm ticket
882 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
891 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
892 @code{PERMITTED-CROSS-REALMS} section), and then from there to
896 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
908 One common place where a @code{[capaths]} configuration is desirable
909 is with Windows Active Directory forests. One common Active Directory
910 configuration is to have one top-level Active Directory realm but then
912 on organizational unit). One generally establishes cross-realm trust
913 only with the top-level realm, and then uses transit policy to permit
944 configuration are needed for bi-directional transited cross-realm
948 @c kmumble transit-check client server transit-realms ...
963 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
966 the common case, resulting in no configuration needed) and allows the
982 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
983 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
985 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
990 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
1033 @code{--with-openldap=/usr/local} (adjust according to where you have
1037 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1041 see option --hdb-openldap-module to configure.
1044 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
1047 Add the hdb schema to the LDAP server, it's included in the source-tree
1063 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1068 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1078 security layer quality (ssf in cyrus-sasl lingo). So that requirement
1083 sasl-secprops minssf=0
1092 slapd -h "ldapi:/// ldap:///"
1097 schema definition syntax instead of the old UMich-style, V2 syntax.
1109 hdb-ldap-structural-object = inetOrgPerson
1117 hdb-ldap-structural-object is not necessary if you do not need Samba
1128 kdc# kadmin -l
1136 Password expiration time [never]:
1138 lukeh@@EXAMPLE.COM's Password:
1139 Verifying password - lukeh@@EXAMPLE.COM's Password:
1147 kdc# ldapsearch -L -h localhost -D cn=manager \
1148 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1169 appropriately when it receives an LDAP Password change Extended
1172 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sor…
1179 @subsection Using Samba LDAP password database
1182 @c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs…
1183 @c @section Using Samba LDAP password database
1196 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to sto…
1204 keytab. ktutil get is better in that way it changes the key/password
1212 host# ktutil -k /etc/krb5-service.keytab \
1213 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1214 lha/admin@@EXAMPLE.ORG's Password:
1218 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1222 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1223 --keytab=/etc/krb5-service.keytab \
1224 service-principal@@EXAMPLE.ORG
1233 the credentials when the script-to-start-service exits.
1236 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1237 --keytab=/etc/krb5-service.keytab \
1238 service-principal@@EXAMPLE.ORG \
1239 script-to-start-service argument1 argument2
1243 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers an…
1244 @section Setting up PK-INIT
1246 PK-INIT leverages an existing PKI (public key infrastructure), using
1248 ticket-granting ticket).
1250 To use PK-INIT you must first have a PKI. If you don't have one, it is
1263 certificates and the format used in the id-pkinit-san OtherName
1271 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1272 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1288 a password or other private information) that it is supposed to keep
1293 The client certificate may need to have a EKU id-pkekuoid
1307 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1316 OtherName. The OID in the type is id-pkinit-san.
1319 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1378 FILE:certificate.pem,private-key.key,other-cert.pem,....
1384 soft-token, opensc, or muscle. The argument specifies a shared object
1391 PKCS11:shared-object.so
1414 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1427 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1443 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1459 enable-pkinit = yes
1461 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1462 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1463 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1469 @subsection Using pki-mapping file
1474 # cat /var/heimdal/pki-mapping
1489 You need to change --subject in the command below to something
1493 hxtool issue-certificate \
1494 --self-signed \
1495 --issue-ca \
1496 --generate-key=rsa \
1497 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1498 --lifetime=10years \
1499 --certificate="FILE:ca.pem"
1503 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1506 You need to change --subject and --pk-init-principal in the command
1510 hxtool issue-certificate \
1511 --ca-certificate=FILE:ca.pem \
1512 --generate-key=rsa \
1513 --type="pkinit-kdc" \
1514 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1515 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1516 --certificate="FILE:kdc.pem"
1520 generate a certificate of type ``pkinit-client''. The client doesn't
1521 need to have the PK-INIT SubjectAltName set; you can have the Subject
1522 DN in the ACL file (pki-mapping) instead.
1524 You need to change --subject and --pk-init-principal in the command
1526 --pk-init-principal if you're going to use the ACL file instead.
1529 hxtool issue-certificate \
1530 --ca-certificate=FILE:ca.pem \
1531 --generate-key=rsa \
1532 --type="pkinit-client" \
1533 --pk-init-principal="lha@@TEST.H5L.SE" \
1534 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1535 --certificate="FILE:user.pem"
1558 creating client and KDC certificates, see the test-data generation
1559 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1560 certicates it creates are used to test the PK-INIT functionality in
1561 @file{tests/kdc/check-kdc.in}.
1586 openssl x509 -extensions user_certificate
1587 openssl ca -extensions user_certificate
1591 @c --- ms certificate
1605 @section Using PK-INIT with Windows
1609 Clients using a Windows KDC with PK-INIT need configuration since
1610 windows uses pre-standard format and this can't be autodetected.
1630 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1631 Smart Card Logon with Third-Party Certification Authorities'' for a
1638 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1642 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1651 libkrb5 = 0-/SYSLOG: