diff options
Diffstat (limited to 'doc/html/admin/appl_servers.html')
| -rw-r--r-- | doc/html/admin/appl_servers.html | 356 |
1 files changed, 356 insertions, 0 deletions
diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html new file mode 100644 index 000000000000..ef7f37524d9c --- /dev/null +++ b/doc/html/admin/appl_servers.html @@ -0,0 +1,356 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>Application servers — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="For administrators" href="index.html" /> + <link rel="next" title="Host configuration" href="host_config.html" /> + <link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" + accesskey="P">previous</a> | + <a href="host_config.html" title="Host configuration" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="application-servers"> +<h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1> +<p>If you need to install the Kerberos V5 programs on an application +server, please refer to the Kerberos V5 Installation Guide. Once you +have installed the software, you need to add that host to the Kerberos +database (see <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>), and generate a keytab for +that host, that contains the host’s key. You also need to make sure +the host’s clock is within your maximum clock skew of the KDCs.</p> +<div class="section" id="keytabs"> +<h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2> +<p>A keytab is a host’s copy of its own keylist, which is analogous to a +user’s password. An application server that needs to authenticate +itself to the KDC has to have a keytab that contains its own principal +and key. Just as it is important for users to protect their +passwords, it is equally important for hosts to protect their keytabs. +You should always store keytab files on local disk, and make them +readable only by root, and you should never send a keytab file over a +network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> +command to extract a keytab on the host on which the keytab is to +reside.</p> +<div class="section" id="adding-principals-to-keytabs"> +<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3> +<p>To generate a keytab, or to add a principal to an existing keytab, use +the <strong>ktadd</strong> command from kadmin.</p> +</div> +<div class="section" id="ktadd"> +<h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><div class="line-block"> +<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> +<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div> +</div> +</div></blockquote> +<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a +keytab file. Each principal’s keys are randomized in the process. +The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> +command.</p> +<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. +With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p> +<p>The options are:</p> +<dl class="docutils"> +<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> +<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is +used.</dd> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dd>Uses the specified keysalt list for setting the new keys of the +principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +list of possible values.</dd> +<dt><strong>-q</strong></dt> +<dd>Display less verbose information.</dd> +<dt><strong>-norandkey</strong></dt> +<dd>Do not randomize the keys. The keys and their version numbers stay +unchanged. This option cannot be specified in combination with the +<strong>-e</strong> option.</dd> +</dl> +<p>An entry for each of the principal’s unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types.</p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256-cts-hmac-sha1-96 added to keytab + FILE:/tmp/foo-new-keytab +kadmin: +</pre></div> +</div> +<div class="section" id="examples"> +<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4> +<p>Here is a sample session, using configuration files that enable only +AES encryption:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU +Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab +Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab +kadmin: +</pre></div> +</div> +</div> +</div> +<div class="section" id="removing-principals-from-keytabs"> +<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3> +<p>To remove a principal from an existing keytab, use the kadmin +<strong>ktremove</strong> command.</p> +</div> +<div class="section" id="ktremove"> +<h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote> +<p>Removes entries for the specified <em>principal</em> from a keytab. Requires +no permissions, since this does not require database access.</p> +<p>If the string “all” is specified, all entries for that principal are +removed; if the string “old” is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed.</p> +<p>The options are:</p> +<dl class="docutils"> +<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> +<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is +used.</dd> +<dt><strong>-q</strong></dt> +<dd>Display less verbose information.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +</pre></div> +</div> +</div> +</div> +<div class="section" id="clock-skew"> +<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2> +<p>A Kerberos application server host must keep its clock synchronized or +it will reject authentication requests from clients. Modern operating +systems typically provide a facility to maintain the correct time; +make sure it is enabled. This is especially important on virtual +machines, where clocks tend to drift more rapidly than normal machine +clocks.</p> +<p>The default allowable clock skew is controlled by the <strong>clockskew</strong> +variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</p> +</div> +<div class="section" id="getting-dns-information-correct"> +<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2> +<p>Several aspects of Kerberos rely on name service. When a hostname is +used to name a service, the Kerberos library canonicalizes the +hostname using forward and reverse name resolution. (The reverse name +resolution step can be turned off using the <strong>rdns</strong> variable in +<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.) The result of this canonicalization must match +the principal entry in the host’s keytab, or authentication will fail.</p> +<p>Each host’s canonical name must be the fully-qualified host name +(including the domain), and each host’s IP address must +reverse-resolve to the canonical name.</p> +<p>Configuration of hostnames varies by operating system. On the +application server itself, canonicalization will typically use the +<tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file rather than the DNS. Ensure that the line for the +server’s hostname is in the following form:</p> +<div class="highlight-python"><div class="highlight"><pre>IP address fully-qualified hostname aliases +</pre></div> +</div> +<p>Here is a sample <tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file:</p> +<div class="highlight-python"><div class="highlight"><pre># this is a comment +127.0.0.1 localhost localhost.mit.edu +10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin +</pre></div> +</div> +<p>The output of <tt class="docutils literal"><span class="pre">klist</span> <span class="pre">-k</span></tt> for this example host should look like:</p> +<div class="highlight-python"><div class="highlight"><pre>viola# klist -k +Keytab name: /etc/krb5.keytab +KVNO Principal +---- ------------------------------------------------------------ + 2 host/daffodil.mit.edu@ATHENA.MIT.EDU +</pre></div> +</div> +<p>If you were to ssh to this host with a fresh credentials cache (ticket +file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, the output should list a service +principal of <tt class="docutils literal"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></tt>.</p> +</div> +<div class="section" id="configuring-your-firewall-to-work-with-kerberos-v5"> +<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2> +<p>If you need off-site users to be able to get Kerberos tickets in your +realm, they must be able to get to your KDC. This requires either +that you have a slave KDC outside your firewall, or that you configure +your firewall to allow UDP requests into at least one of your KDCs, on +whichever port the KDC is running. (The default is port 88; other +ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.) +Similarly, if you need off-site users to be able to change their +passwords in your realm, they must be able to get to your Kerberos +admin server on the kpasswd port (which defaults to 464). If you need +off-site users to be able to administer your Kerberos realm, they must +be able to get to your Kerberos admin server on the administrative +port (which defaults to 749).</p> +<p>If your on-site users inside your firewall will need to get to KDCs in +other realms, you will also need to configure your firewall to allow +outgoing TCP and UDP requests to port 88, and to port 464 to allow +password changes. If your on-site users inside your firewall will +need to get to Kerberos admin servers in other realms, you will also +need to allow outgoing TCP and UDP requests to port 749.</p> +<p>If any of your KDCs are outside your firewall, you will need to allow +kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> uses +the <tt class="docutils literal"><span class="pre">krb5_prop</span></tt> service on port 754 (tcp).</p> +<p>The book <em>UNIX System Security</em>, by David Curry, is a good starting +point for learning to configure firewalls.</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Application servers</a><ul> +<li><a class="reference internal" href="#keytabs">Keytabs</a><ul> +<li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li> +<li><a class="reference internal" href="#ktadd">ktadd</a><ul> +<li><a class="reference internal" href="#examples">Examples</a></li> +</ul> +</li> +<li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li> +<li><a class="reference internal" href="#ktremove">ktremove</a></li> +</ul> +</li> +<li><a class="reference internal" href="#clock-skew">Clock Skew</a></li> +<li><a class="reference internal" href="#getting-dns-information-correct">Getting DNS information correct</a></li> +<li><a class="reference internal" href="#configuring-your-firewall-to-work-with-kerberos-v5">Configuring your firewall to work with Kerberos V5</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">Application servers</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" + >previous</a> | + <a href="host_config.html" title="Host configuration" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |