HP HP-UX Kerberos Data Security Setup and Install

Installing, Conﬁguring and

Administering the Kerberos Server V 2.0

on HP-UX 11i

HP 9000 Networking

Edition 2

Manufacturing Part Number: T1417-90003

E0602

U.S.A.

Legal Notices

The information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and ﬁtness for a particular purpose. Hewlett-Packard

shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty. A copy of the speciﬁc warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofﬁce.

Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

HEWLETT-PACKARD COMPANY 3000 Hanover Street Palo Alto, California 94304 U.S.A.

Use of this manual and ﬂexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited.

Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.

This software is based in part on the Fourth Berkeley Software Distribution under license from the Regents of the University of California.

©Copyright 1983-2002, Hewlett-Packard Co., All Rights Reserved ©Copyright 1979, 1980,1983, 1985-1993 The Regents of the Univ. of California ©Copyright 1980, 1984, 1986 Novell, Inc. ©Copyright 1986-1992 Sun Microsystems, Inc. ©Copyright 1985-2002 Massachusetts Institute of Technology. ©Copyright 1989-93 The Open Software Foundation, Inc. ©Copyright 1986 Digital Equipment Corporation. ©Copyright 1990 Motorola, Inc. ©Copyright 1990, 1991, 1992 Cornell University ©Copyright 1989-1991 The University of Maryland ©Copyright 1988 Carnegie Mellon University ©Copyright 1984-2002 FairCom Corporation ©Copyright 1998-2002 Cybersafe Corporation ©Copyright 1991-2002 Mentat Inc. ©Copyright 1996 Morning Star Technologies Inc. ©Copyright 1996 Progressive Systems, Inc. ©Copyright 1991-2000 Isogon Corporation, All Rights Reserved. ©Copyright 1996 OpenVision Technologies, Inc., All Rights Reserved

Trademark Notices UNIX is a registered trademark in the United States and other countries, licensed exclusively through The Open Group.

X Window System is a trademark of the Massachusetts Institute of Technology.

MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation.

OSF/Motif is a trademark of the Open Software Foundation, Inc. in the U.S. and other countries.

1. Overview

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

How The Kerberos Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

DES vs 3DES Key Type Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2. Installation

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Before Installing The Kerberos Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Installing The Kerberos Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3. Migration

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Policy Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Step-wise Procedure For Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4. Interoperability With Windows 2000

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Understanding the Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Table of Analogous Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

HP’s Kerberos Server and Windows 2000 Interoperability. . . . . . . . . . . . . . . . . . . . . . 55

Establishing Trust Between HP’s Kerberos Servers and Windows 2000. . . . . . . . . . . 56

Single Realm (Domain) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Inter-Realm (Inter-Domain) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Special Considerations for Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Database Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Encryption Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Postdated Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Contents

5. Conﬁguration

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Conﬁguration Files For The Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Auto-Conﬁguration of the Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Manual Conﬁguration Of The Kerberos Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Editing the Conﬁguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

krb.conf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Contents

krb.conf Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Sample krb.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

krb.realms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

krb.realms Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Sample krb.realms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Conﬁguring The Primary Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Creating The Principal Database After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Add An Administrative Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

To add an administrative principal using the Administrator . . . . . . . . . . . . . . . . . . 80

To add an administrative principal using the Remote Command-Line-Administrator

Create The host/<fqdn> principal And Extract Its Service Key . . . . . . . . . . . . . . . . . . 82

Start the Kerberos daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Deﬁne Secondary Server Network Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Password Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

admin_acl_ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Starting the Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Conﬁguring The Secondary Security Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Create the Principal Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Copy the Kerberos Conﬁguration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Create a host/<fqdn> Principal and Extract Its Key . . . . . . . . . . . . . . . . . . . . . . . . . 90

6. Administration

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Administering the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

kadmind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

admin_acl_ﬁle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Assigning Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Adding Entries to the admin_acl_ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Using Restricted Adminsitrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Password Policy File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Editing the Default File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Contents

Adding User Principals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Adding New Service Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

kadmin Vs kadminl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Standard Functionality of the Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Local Administrator - kadminl_ui. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Usage of kadminl_ui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Principals Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

General Tab (Principal Information window). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Adding Principals to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

To add a principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

To simultaneously add multiple principals with the same settings . . . . . . . . . . . . 123

Creating an Administrative Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

To create an administrative principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Finding a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

To search for a principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Deleting a Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

To delete a user principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Loading Default Values for a Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

To reload the default values for a principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Restoring Previously Saved Values for a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

To restore previously saved values for a principal . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Changing Ticket Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

To change ticket information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Rules for Setting Maximum Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Rules for Setting Maximum Renew Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Changing Password Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

To change the password information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Password Tab (Principal Information window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Change Password window (Password tab) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Changing Key Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

To change a DES principal’s key type to 3DES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Changing Principal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

To change principal attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Contents

Attributes Tab (Principal Information window). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Deleting a Service Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

To delete a service principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Extracting Service Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

To securely extract principal keys to the service key table . . . . . . . . . . . . . . . . . . . 151

Extract Service Key Table window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Using Groups to Control Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

To edit the default group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Group Information window (Principal Information window) . . . . . . . . . . . . . . . . . . . 156

Principal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Setting Administrative Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

To set administrative permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Realms Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Realm Information window (Realms tab) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Adding a Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

To add a realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Deleting a Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

To delete a realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Remote Administrator - kadmin_ui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Manual Administration Using kadmin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Add a New Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Add Random Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Specify New Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Change Password to a New Randomly Generated Password. . . . . . . . . . . . . . . . . . 173

Delete a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Extract a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

List the Attributes of a Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Modifying a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Principal Database Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Creating the Kerberos Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Database Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Database Master Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Destroying the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Dumping the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Loading the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Stashing the Master Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Starting and Stopping Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Maintenance Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Protecting Security Server Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Backing Up Primary Server Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Special Note on Backing up the Principal Database . . . . . . . . . . . . . . . . . . . . . . . . 202

Removing Unused Space From the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

7. Propagation

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Propagation Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Propagation Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Service Key Table (v5srvtab). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Maintaining Secret Keys In The Key Table File. . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Propagation Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

kpropd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

mkpropcf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

kpropd.ini . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

prpadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Setting Up Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Monitoring Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Monitoring the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Restarting Propagation Using the Simple Process. . . . . . . . . . . . . . . . . . . . . . . . . . 234

Restarting Propagation Using the Full Dump Method . . . . . . . . . . . . . . . . . . . . . . 235

Propagation Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Converting a Secondary Server to a Primary Server . . . . . . . . . . . . . . . . . . . . . . . . 236

Restarting Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Cleaning the Temp Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Conﬁguring for Multi-realm Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Number of Realms per Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Primary Servers That Support Multiple Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Multiple Primary Servers That Support A Single Realm . . . . . . . . . . . . . . . . . . . . 240

Adding More Realms to a Multi-realm Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Database Propagation for Multi-realm Databases . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Contents

8. Inter-realm

Considering Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Contents

One-way Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Two-way Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Hierarchical Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Other Types Of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Conﬁguring for Multi-realm Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Number of Realms per Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Primary Servers That Support Multiple Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Multiple Primary Servers That Support A Single Realm . . . . . . . . . . . . . . . . . . . . 248

Adding More Realms to a Multi-realm Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Database Propagation for Multi-realm Databases . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Conﬁguring Direct Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Direct Trust Relationship Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Hierarchical Inter-realm Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

A Hierarchical Chain of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Hierarchical Inter-realm Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Hierarchical Inter-realm Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

9. Troubleshooting

Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Characterizing the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Diagnostic Tools Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Logging Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Services Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Troubleshooting Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

General Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Forgotten Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Locking and Unlocking Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Typical User Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Decrypt integrity check failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Password has already been used or is too close to current one . . . . . . . . . . . . . . . . 273

Administrative Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Password has expired while getting initial ticket. . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Service key not available while getting initial ticket . . . . . . . . . . . . . . . . . . . . . . . . 274

Contents

Reporting Problems to Your Hewlett-Packard Support Contact. . . . . . . . . . . . . . . . . 276

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Contents

Tables

Table 4-1. Table of Analogous Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 5-1. Security Server Files That Require Conﬁguration . . . . . . . . . . . . . . . . . . 63

Table 6-1. Administrative Permission Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Table 6-2. Default Password Policy Settings for the base group . . . . . . . . . . . . . . . 101

Table 6-3. Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Table 6-4. Require Initial Authentication Attribute Settings . . . . . . . . . . . . . . . . . 185

Table 6-5. Principal Database Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Table 6-6. Situations that require Starting and Stopping Daemons and Services. 200

Table 7-1. Propagation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Table 7-2. Primary Server Services and Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . 225

Table 9-1. Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Table 9-2. Table of Errors Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Tables

Figures

Figure 1-1. Authentication Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 6-1. Principals Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 6-2. General Tab (Principal Information Window). . . . . . . . . . . . . . . . . . . . 120

Figure 6-3. Password Tab (Principal Information Window) . . . . . . . . . . . . . . . . . . 138

Figure 6-4. Change Password Window (Password Tab). . . . . . . . . . . . . . . . . . . . . . 140

Figure 6-5. Attributes Tab (Principal Information Window). . . . . . . . . . . . . . . . . . 145

Figure 6-6. Extract Service Key Table Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Figure 6-7. Group Information Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Figure 6-8. Administrative Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Figure 6-9. Realms Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Figure 6-10. Realm Information Window (Realms Tab) . . . . . . . . . . . . . . . . . . . . . 164

Figure 6-11. Logon Window (Remote Administrator) . . . . . . . . . . . . . . . . . . . . . . . 168

Figure 6-12. Change Password Window (Remote Administrator). . . . . . . . . . . . . . 168

Figure 6-13. Warning Message (Remote Administrator) . . . . . . . . . . . . . . . . . . . . . 169

Figure 8-1. Hierarchical Inter-realm Conﬁguration. . . . . . . . . . . . . . . . . . . . . . . . . 254

Figures

Preface

This manual describes how to install, conﬁgure, administer and trouble shoot the Kerberos Server on HP 9000 servers running on HP-UX 11i.

Audience

HP intends this manual for system managers or administrators responsible for conﬁguring and maintaining the Kerberos server on HP-UX 11i.

This manual is based on the assumption that you have:

• An understanding of distributed network concepts and client-server computing

• Demonstrated knowledge of UNIX

• An understanding of the basics Kerberos

Related Software Products

• PAM Kerberos on HP-UX 11i delivered as part of the HP-UX Internet operating environment component (HP-UX 11i-OE).

• KRB5 Client Software on HP-UX 11i delivered as part of the core O/S.

• GSS-API on HP-UX 11i (J5849AA) delivered as part of the core O/S.

1 Overview

This chapter provides an introduction to the HP’s Kerberos Server V

2.0, now available on HP-UX 11i.

Chapter 1 23

Overview

Chapter Overview

This chapter covers the following topics:

• “How The Kerberos Server Works” on page 25

• “Authentication Process” on page 27

• “DES vs 3DES Key Type Settings” on page 32

Chapter 124

Overview

How The Kerberos Server Works

The term “Kerberos” was derived from Greek mythology. “Cerberus” is the latin variant of Kerberos who guarded the entrance of Hades, the Greek hell. The Kerberos security system, on the other hand, guards electronic transmissions that are sent across the network.

Kerberos is a mature network authentication protocol based on the RFC 1510 speciﬁcation of the IETF. It is designed to provide strong

authentication for client or server applications by using the shared secret-key cryptography.

The Kerberos Server is based on a distributed client-server architecture. It ensures secure communication in a networked environment by leveragingindividualtrustrelationships. It then brokers that trust across enterprise-wide, distributed client-server networks.

The basic currency of Kerberos is the ticket, which the user presents in order to use a speciﬁc service. Each service, be it a login service or an FTP service, requires a different kind of ticket. Fortunately, the Kerberized applications keep track of all the various kinds of tickets, so you don’t have to.

When you ﬁrst log on to Kerberos each day, you enter your Kerberos password. In return, the Kerberos server gives you an initial ticket, which you use to request for additional tickets from the Kerberos server for all the other services. For this reason, the initial ticket is also often called the ticket-granting-ticket, or TGT.

The communication between the client and server is secured by using the Kerberos protocol. Thus, client programs make authentication requests to an authentication server, and server programs in-turn service those client requests. Based on a user’s credentials the server program grants or denies a user’s request to access network applications and services. The Kerberos Server allows entities to authenticate themselves, without having to transmit their passwords in clear text form, over the networks.

Chapter 1 25

Overview

How The Kerberos Server Works

NOTE For more information on the basics of Kerberos, refer to Installing,

Conﬁguring and Administering the Kerberos Server on HP-UX 11i

(T1417 -0001). This document is available at, http://www.docs.hp.com

The next section describes the Kerberos Authentication process. This section enables you to understand the intricacies of the Authentication process.

Chapter 126

Overview

Authentication Process

Toaid you in understanding the conﬁguration and administration issues this section describes the authentication process. The process of Conﬁguring and Administering your Kerberos Server have been discussed in detail in the subsequent chapters of this manual.

Before the Kerberos Server grants tickets to a user principal to access secured network services, a user must sign on to the Server by providing knowledge of secret information, such as a user name and password. Once the server authenticates the user, it returns a set of initial credentials for the user, consisting of a ticket-granting-ticket (TGT) and a session key.

A service ticket is granted for a speciﬁc service principal, which can be associated with one or more Kerberos-secured services on the same system. The service ticket is used by a client application on behalf of the user, to authenticate the user to the Kerberos-secured network service. The secured client application automatically handles the transactions with the Server and the secured application server. Service tickets and associated session keys are generally cached in the user’s credentials cache along with the user’s TGT.

Chapter 1 27

Overview

Authentication Process

The ﬁgure shown below depicts the components of the secure environment and the Kerberos protocol. Also, given below is a step-wise procedure of how a client and server authenticate each other using Kerberos. The step numbers match with the numbered arrows in the ﬁgure below.

Figure 1-1 Authentication Process

Step 1. The user begins to use a Kerberos-secured application by entering the

user principal name and password. Optionally, the user can request for speciﬁc ticket ﬂags and specify the key type to be used to construct the secret key. The user can also accept the default, conﬁgured for the client.

Step 2. The Key Distribution Center (KDC) transforms the password into the

user’s secret key and uses it to construct a message, which it sends to the Authentication Service (AS), requesting a TGT for the user. The AS is the component of the Kerberos Server that grants initial tickets.

Chapter 128

Authentication Process

Step 3. If the AS can decrypt the message successfully, it knows that the

requesting user is who they claim to be, and issues a TGT. The TGT contains the name of the user, a session key to be used by the user and the Server for any subsequent communication. The reply message is encrypted using the user’s secret key.

Step 4. The KDC decrypts the message using the user’s secret key. If the

application can successfully decrypt the message, the user is allowed to use the application. The TGT and the session key from the message are stashed in the user’s credential cache.

This protocol exchange has three important features namely:

• the authentication scheme does not require that the password be

sent across the network, either in encrypted form or in clear text

• tickets are not returned unless the principal name and password are

correct

• the client, or anyone else cannot look at or modify the contents of the

TGT

At the end of this initial exchange with the AS, the user’s credential cache holds the user principal’s TGT and the associated session key. These are used to obtain tickets for each network service the principal wants to access.

Overview

To obtain access to a secured network service, the requesting client application uses the previously obtained TGT in a dialog with the Server. The protocol is the same as used while obtaining the TGT, except the messages contain the name of the server, the message type and an encrypted copy of the previously obtained TGT.

Step 5. The user runs a secured application, such as rlogin, rsh, rcp, ftp or telnet Step 6. The secured application checks for the required service ticket in the

user’s credential cache. If it is there, skip to Step 10. If the user does not have the required service ticket, the secured

application reads the user principal’s TGT and session key from the user’s private credentials cache

Step 7. The secured applications sends its request for a speciﬁc service ticket to

the ticket-granting-service (TGS), along with the user principal’s TGT and an authenticator. An authenticator is known data, such as timestamp and user name, encrypted with the session key

Chapter 1 29

Overview

Authentication Process

Step 8. The TGS decrypts the authenticator to check the user’s identity and

Step 9. The secured application uses the session key received with the TGT to

veriﬁes that the user’s TGT and credentials have not expired. The TGS reads the secured application’s service principal key from the principal database, then builds and sends a reply back to the secured client application.

The reply contains two different packets:

• The packet intended for the service principal contains a service

ticket, a new session key, an authenticator and other information, all encrypted in the service principal’s key.

• The packet intended for the client contains the same session key and

other information. Both packets are encrypted in a session key received by the client

with the TGT

decrypt the reply. It stores the service ticket packet and the new session key in the user’s credentials cache.Theclientdoesnotattempttodecrypt the service ticket portion of the reply. It cannot as it does not have the service principal’s key that was used to encrypt it.

Step 10. The secured application sends the service ticket packet to the secured

service, requesting a connection. The secured service decrypts the packet using its key stored in a service key table ﬁle (default key table ﬁle name is v5srvtab).

If the service can decrypt the packet, it uses the session key included in the packet to decrypt the authenticator, which contains the user principal’s name and a timestamp. The service checks that the timestamp is within a ﬁve minute window centered around the service’s clock. This limits an attackers ability to replay a ticket at a time outside the clock skew.

From the principal name contained in the authenticator, the service knows that the user has been authenticated and is who the user claims to be. The service then performs authorization checks for the principal name. If the checks are successful, a connection is established.

Step 11. The secured application may require the secured service to authenticate

itself, mutual authentication.

Chapter 130

+ 255 hidden pages