Lines Matching +full:key +full:- +full:up
3 @node Setting up a realm, Applications, Building and Installing, Top
5 @chapter Setting up a realm
26 * Credential cache server - KCM::
29 * Setting up DNS::
32 * Setting up PK-INIT::
36 @node Configuration file, Creating the database, Setting up a realm, Setting up a realm
48 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
51 @samp{@{} as the first non-whitespace character after the equal sign. All
57 a-subsection = @{
59 other-var = value with @{@}
60 sub-sub-section = @{
70 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
71 be @samp{section1/a-subsection/other-var}.
73 For in-depth information about the contents of the configuration file, refer to
106 SRV-record for your realm, or your Kerberos server has DNS CNAME
117 @node Creating the database, Modifying the database, Configuration file, Setting up a realm
129 choose to, these can be encrypted with a master key. You do not have to
130 remember this key (or password), but just to enter it once and it will
131 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
132 master key, run @samp{kstash} to create this master key:
136 Master key:
137 Verifying password - Master key:
140 If you want to generate a random master key you can use the
141 @kbd{--random-key} flag to kstash. This will make sure you have a good key
144 If you have a master key, make sure you make a backup of your master
145 key file; without it backups of the database are of no use.
148 @kbd{-l} option (to enable local database mode). First issue a
158 principal. The principal should contain a realm, so if you haven't set up
162 # kadmin -l
171 Verifying password - Password:
195 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
196 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
197 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
198 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
201 @node Modifying the database, Checking the setup, Creating the database, Setting up a realm
210 Both interactive editing and command line flags can be used (use --help
221 Attributes are removed from the list by prefixing them with @samp{-}.
229 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
233 Attributes: requires-pre-auth
243 YYYY-mm-dd
244 YYYY-mm-dd HH:MM:SS
263 @node Checking the setup, keytabs, Modifying the database, Setting up a realm
281 kadmin -l check REALM.EXAMPLE.ORG
284 @node keytabs, Remote administration, Checking the setup, Setting up a realm
289 (using the @kbd{--random-key} flag to get a random key) and then
293 kadmin> add --random-key host/my.host.name
301 1 des-cbc-md5 host/my.host.name@@MY.REALM
302 1 des-cbc-md4 host/my.host.name@@MY.REALM
303 1 des-cbc-crc host/my.host.name@@MY.REALM
304 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
307 @node Remote administration, Password changing, keytabs, Setting up a realm
316 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
319 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
326 principal [priv1,priv2,...] [glob-pattern]
330 glob-pattern). When there is a match, the access rights of that line are
334 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
339 If a @var{glob-pattern} is given on a line, it restricts the access
355 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
358 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
380 to guess them and to avoid off-line attacks (although
381 pre-authentication provides some defence against off-line attacks).
391 policies = external-check builtin:minimum-length modulename:policyname
398 @samp{policy_libraries}). All built-in policies can be qualified with
399 a module name of @samp{builtin} to unambiguously specify the built-in
402 The built-in policies are
406 @item external-check
410 A number of key/value pairs are passed as input to the program, one per
411 line, ending with the string @samp{end}. The key/value lines are of
415 new-password: @var{password}
426 error and exit with a non-zero error code.
428 @item minimum-length
434 @item character-class
436 The character-class password quality check reads the configuration
456 @file{lib/kadm5/check-cracklib.pl}.
462 @command{verify-password-quality} in @command{kadmin} program. The password
468 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
474 @node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
475 @section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
489 Every slave needs a database directory, the master key (if it was used
498 slave# ktutil get -p foo/admin hprop/`hostname`
504 the slaves. This principal should be added when running @kbd{kadmin -l
506 please add it with @kbd{kadmin -l add}.
516 This was just an hands-on example to make sure that everything was
526 @node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
539 Protocol-wise, all the slaves connect to the master and as a greeting
544 also a keep-alive protocol that makes sure all slaves are up and running.
547 slaves, the ipropd-master also listens on a status unix
550 ipropd-master to check for new version in the log file. As a fallback in
556 The program that runs on the master is @command{ipropd-master} and all
557 clients run @command{ipropd-slave}.
566 for some peculiar reason, you can use the @kbd{--port} option. This is
583 The next step is to start the @command{ipropd-master} process on the master
584 server. The @command{ipropd-master} listens on the UNIX domain socket
589 this signal. Then, start @command{ipropd-slave} on all the slaves:
592 master# /usr/heimdal/libexec/ipropd-master &
593 slave# /usr/heimdal/libexec/ipropd-slave master &
596 To manage the iprop log file you should use the @command{iprop-log}
599 … Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting up …
609 Salting is used to make it harder to pre-calculate all possible
611 impossible to pre-calculate all keys. Salting is the process of mixing a
613 encryption type specific string-to-key function that will output the
614 fixed size encryption key.
620 (none at all) or the afs-salt (using the cell (realm in
631 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
632 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
633 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
634 salt-string is the string that will be used as salt (remember that if
641 @item @code{v4} (or @code{des:pw-salt:})
647 @item @code{v5} (or @code{pw-salt})
649 @code{pw-salt} uses the default salt for each encryption type is
653 @item @code{afs3-salt}
655 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
660 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
661 @section Credential cache server - KCM
683 credentials. @command{klist -l} lists the credentials and the star
689 $ klist -l
698 $ kswitch -i
708 $ klist -l
721 -o GSSAPIAuthentication=yes \
722 -o GSSAPIKeyExchange=yes \
723 -o GSSAPIClientIdentity=lha@@KTH.SE \
729 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
737 key shared with the Kerberos server in your realm.
758 The two principals must have the same key, key version number, and the
770 vr$ telnet -l lha hummel.it.su.se
792 @node Transit policy, Setting up DNS, Cross realm, Setting up a realm
796 Under some circumstances, you may not wish to set up direct
797 cross-realm trust with every realm to which you wish to authenticate
799 multi-hop cross-realm trust where a client principal in realm A
801 both A and C have cross-realm trust relationships. In this situation,
802 A and C need not set up cross-realm principals between each other.
804 If you want to use cross-realm authentication through an intermediate
814 @subsection Allowing cross-realm transits
817 destination realm adds its peer to the "transited-realms" field in the
819 if one of the transited-realms changed the order of the list. For the
829 CLIENT-REALM = @{
830 SERVER-REALM = PERMITTED-CROSS-REALMS ...
835 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
836 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
837 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
854 The first entry allows cross-realm authentication from clients in
856 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
867 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
870 @subsection Configuring client cross-realm transits
874 their local realm does not have cross-realm trust. This can be done
878 a referral to the client when the client requests a cross-realm ticket
882 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
891 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
892 @code{PERMITTED-CROSS-REALMS} section), and then from there to
896 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
910 configuration is to have one top-level Active Directory realm but then
912 on organizational unit). One generally establishes cross-realm trust
913 only with the top-level realm, and then uses transit policy to permit
944 configuration are needed for bi-directional transited cross-realm
948 @c kmumble transit-check client server transit-realms ...
950 @node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
951 @section Setting up DNS
952 @cindex Setting up DNS
963 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
982 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
983 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
985 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
990 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
1012 …atabase, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
1021 suitable authorisation policy, it is possible to set this up in a
1033 @code{--with-openldap=/usr/local} (adjust according to where you have
1037 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1041 see option --hdb-openldap-module to configure.
1044 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
1047 Add the hdb schema to the LDAP server, it's included in the source-tree
1063 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1068 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1069 a tree. The user that the key is mapped to should be have a
1078 security layer quality (ssf in cyrus-sasl lingo). So that requirement
1083 sasl-secprops minssf=0
1092 slapd -h "ldapi:/// ldap:///"
1097 schema definition syntax instead of the old UMich-style, V2 syntax.
1109 hdb-ldap-structural-object = inetOrgPerson
1117 hdb-ldap-structural-object is not necessary if you do not need Samba
1125 stashing a master key are as per any Heimdal installation.
1128 kdc# kadmin -l
1139 Verifying password - lukeh@@EXAMPLE.COM's Password:
1147 kdc# ldapsearch -L -h localhost -D cn=manager \
1148 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1153 Now consider adding indexes to the database to speed up the access, at
1172 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sor…
1182 … Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
1186 arcfour's string to key functions principal/realm independent. So now
1190 First, you should set up Samba and get that working with LDAP backend.
1193 Heimdal will pick up the Samba LDAP entries if they are in the same
1196 …os credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Sett…
1202 The easiest way to get tickets for a service is to store the key in a
1204 keytab. ktutil get is better in that way it changes the key/password
1212 host# ktutil -k /etc/krb5-service.keytab \
1213 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1218 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1219 key from the keytab.
1222 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1223 --keytab=/etc/krb5-service.keytab \
1224 service-principal@@EXAMPLE.ORG
1233 the credentials when the script-to-start-service exits.
1236 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1237 --keytab=/etc/krb5-service.keytab \
1238 service-principal@@EXAMPLE.ORG \
1239 script-to-start-service argument1 argument2
1243 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers an…
1244 @section Setting up PK-INIT
1246 PK-INIT leverages an existing PKI (public key infrastructure), using
1248 ticket-granting ticket).
1250 To use PK-INIT you must first have a PKI. If you don't have one, it is
1263 certificates and the format used in the id-pkinit-san OtherName
1270 First, the certificate should have an Extended Key Usage (EKU)
1271 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1272 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1293 The client certificate may need to have a EKU id-pkekuoid
1307 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1316 OtherName. The OID in the type is id-pkinit-san.
1319 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1366 FILE: specifies a file that contains a certificate or private key.
1369 certificates and the code will try to match the private key and
1378 FILE:certificate.pem,private-key.key,other-cert.pem,....
1384 soft-token, opensc, or muscle. The argument specifies a shared object
1391 PKCS11:shared-object.so
1414 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1415 Enter your private key passphrase:
1427 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1443 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1459 enable-pkinit = yes
1460 pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
1461 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1462 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1463 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1469 @subsection Using pki-mapping file
1474 # cat /var/heimdal/pki-mapping
1489 You need to change --subject in the command below to something
1493 hxtool issue-certificate \
1494 --self-signed \
1495 --issue-ca \
1496 --generate-key=rsa \
1497 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1498 --lifetime=10years \
1499 --certificate="FILE:ca.pem"
1503 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1506 You need to change --subject and --pk-init-principal in the command
1510 hxtool issue-certificate \
1511 --ca-certificate=FILE:ca.pem \
1512 --generate-key=rsa \
1513 --type="pkinit-kdc" \
1514 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1515 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1516 --certificate="FILE:kdc.pem"
1520 generate a certificate of type ``pkinit-client''. The client doesn't
1521 need to have the PK-INIT SubjectAltName set; you can have the Subject
1522 DN in the ACL file (pki-mapping) instead.
1524 You need to change --subject and --pk-init-principal in the command
1526 --pk-init-principal if you're going to use the ACL file instead.
1529 hxtool issue-certificate \
1530 --ca-certificate=FILE:ca.pem \
1531 --generate-key=rsa \
1532 --type="pkinit-client" \
1533 --pk-init-principal="lha@@TEST.H5L.SE" \
1534 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1535 --certificate="FILE:user.pem"
1558 creating client and KDC certificates, see the test-data generation
1559 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1560 certicates it creates are used to test the PK-INIT functionality in
1561 @file{tests/kdc/check-kdc.in}.
1586 openssl x509 -extensions user_certificate
1587 openssl ca -extensions user_certificate
1591 @c --- ms certificate
1605 @section Using PK-INIT with Windows
1609 Clients using a Windows KDC with PK-INIT need configuration since
1610 windows uses pre-standard format and this can't be autodetected.
1630 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1631 Smart Card Logon with Third-Party Certification Authorities'' for a
1638 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1642 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1651 libkrb5 = 0-/SYSLOG: