1 \input texinfo-suppl.tex % contains @doubleleftarrow{} definition
2 % this line must come *before* \input texinfo
3 \input texinfo @c -*-texinfo-*-
6 @setfilename krb5-install.info
7 @settitle Kerberos V5 Installation Guide
8 @setchapternewpage odd @c chapter begins on next odd page
9 @c @setchapternewpage on @c chapter begins on next page
10 @c @smallbook @c Format for 7" X 9.25" paper
18 @include definitions.texinfo
21 @finalout @c don't print black warning boxes
24 @title @value{PRODUCT} Installation Guide
25 @subtitle Release: @value{RELEASE}
26 @subtitle Document Edition: @value{EDITION}
27 @subtitle Last updated: @value{UPDATED}
28 @author @value{COMPANY}
31 @vskip 0pt plus 1filll
34 @include copyright.texinfo
38 @node Top, Introduction, (dir), (dir)
39 @comment node-name, next, previous, up
42 This file documents how to install the @value{RELEASE} release of
45 @include copyright.texinfo
49 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
50 @c function. Don't forget to run M-x texinfo-every-node-update after
51 @c you add a new section or subsection, or after you've rearranged the
52 @c order of sections or subsections. Also, don't forget to add an @node
53 @c comand before each @section or @subsection! All you need to enter
56 @c @node New Section Name
58 @c @section New Section Name
60 @c M-x texinfo-every-node-update will take care of calculating the
61 @c node's forward and back pointers.
63 @c ---------------------------------------------------------------------
67 * Realm Configuration Decisions::
68 * Building Kerberos V5::
69 * Installing Kerberos V5::
70 * Bug Reports for Kerberos V5::
74 @node Introduction, Realm Configuration Decisions, Top, Top
78 * What is Kerberos and How Does it Work?::
79 * Why Should I use Kerberos?::
80 * Please Read the Documentation::
81 * Overview of This Guide::
84 @node What is Kerberos and How Does it Work?, Why Should I use Kerberos?, Introduction, Introduction
85 @section What is Kerberos and How Does it Work?
87 @value{PRODUCT} is based on the Kerberos authentication system developed
88 at MIT. Under Kerberos, a client (generally either a user or a service)
89 sends a request for a ticket to the Key Distribution Center (KDC). The
90 KDC creates a @dfn{ticket-granting ticket} (TGT) for the client,
91 encrypts it using the client's password as the key, and sends the
92 encrypted TGT back to the client. The client then attempts to decrypt
93 the TGT, using its password. If the client successfully decrypts the
94 TGT (@i{i.e.}, if the client gave the correct password), it keeps the
95 decrypted TGT, which indicates proof of the client's identity.
97 The TGT, which expires at a specified time, permits the client to obtain
98 additional tickets, which give permission for specific services. The
99 requesting and granting of these additional tickets is user-transparent.
101 @node Why Should I use Kerberos?, Please Read the Documentation, What is Kerberos and How Does it Work?, Introduction
102 @section Why Should I use Kerberos?
104 Since Kerberos negotiates authenticated, and optionally encrypted,
105 communications between two points anywhere on the internet, it provides
106 a layer of security that is not dependent on which side of a firewall
107 either client is on. Since studies have shown that half of the computer
108 security breaches in industry happen from @i{inside} firewalls,
109 @value{PRODUCT} from @value{COMPANY} will play a vital role in the
110 security of your network.
112 @include document-list.texinfo
114 @node Please Read the Documentation, Overview of This Guide, Why Should I use Kerberos?, Introduction
115 @section Please Read the Documentation
117 As with any software package that uses a centrallized database, the
118 installation procedure is somewhat involved, and requires forethought
119 and planning. @value{COMPANY} has attempted to make this
120 @value{PRODUCT} Installation Guide as concise as possible, rather than
121 making it an exhaustive description of the details of Kerberos.
122 Consequently, everything in this guide appears because @value{COMPANY}
123 believes that it is important. Please read and follow these
124 instructions carefully, and if there is anything you do not understand
125 or are not sure of, please don't hesitate to call us.
127 @node Overview of This Guide, , Please Read the Documentation, Introduction
128 @section Overview of This Guide
130 The next chapter describes the decisions you need to make before
131 installing @value{PRODUCT}.
133 Chapter three describes installation procedures for each class of
138 Key Distribution Centers (KDCs).
149 Client machines (user machines):
153 UNIX client machines.
163 application server machines
167 Note that a machine can be both a client machine and an application
170 Chapter four describes our problem reporting system.
172 The appendices give sample configuration files.
174 @node Realm Configuration Decisions, Building Kerberos V5, Introduction, Top
175 @chapter Realm Configuration Decisions
177 Before installing @value{PRODUCT}, it is necessary to consider the
182 The name of your Kerberos realm (or the name of each realm, if you need
186 How you will map your hostnames onto Kerberos realms.
189 Which ports your KDC and and kadmin (database access) services will use.
192 How many slave KDCs you need and where they should be located.
195 The hostnames of your master and slave KDCs.
198 How frequently you will propagate the database from the master KDC to
202 Whether you need backward compatibility with Kerberos V4.
207 * Mapping Hostnames onto Kerberos Realms::
208 * Ports for the KDC and Admin Services::
210 * Hostnames for the Master and Slave KDCs::
211 * Database Propagation::
214 @node Kerberos Realms, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions, Realm Configuration Decisions
215 @section Kerberos Realms
217 Although your Kerberos realm can be any ASCII string, convention is to
218 make it the same as your domain name, in upper-case letters. For
219 example, hosts in the domain @value{SECONDDOMAIN} would be in the
220 Kerberos realm @value{SECONDREALM}.
222 If you need multiple Kerberos realms, @value{COMPANY} recommends that
223 you use descriptive names which end with your domain name, such as
224 BOSTON.@value{SECONDREALM} and SAN_FRANCISCO.@value{SECONDREALM}.
226 @node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions
227 @section Mapping Hostnames onto Kerberos Realms
229 Mapping hostnames onto Kerberos realms is done through a set of rules in
230 the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can
231 specify mappings for an entire domain or subdomain, and/or on a
232 hostname-by-hostname basis. Since greater specificity takes precedence,
233 you would do this by specifying the mappings for a given domain or
234 subdomain and listing the exceptions.
236 @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions
237 @section Ports for the KDC and Admin Services
239 The default ports used by Kerberos are port 88 for the
240 KDC@footnote{Kerberos V4 used port 750. If necessary, you can run on
241 both ports for backward compatibility.} and port 749 for the admin
242 server. You can, however, choose to run on other ports, as long as they
243 are specified in each host's @code{/etc/services} and @code{krb5.conf}
244 files, and the @code{kdc.conf} file on each KDC. Because the kadmin
245 port was recently assigned, @value{COMPANY} recommands that you specify
246 it explicitly in your @code{krb5.conf} and @code{kdc.conf} files. For a
247 more thorough treatment of port numbers used by the @value{PRODUCT}
248 programs, refer to the ``Configuring Your Firewall to Work With
249 @value{PRODUCT}'' section of the @cite{@value{PRODUCT} System
250 Administrator's Guide}.
252 @node Slave KDCs, Hostnames for the Master and Slave KDCs, Ports for the KDC and Admin Services, Realm Configuration Decisions
255 Slave KDCs provide an additional source of Kerberos ticket-granting
256 services in the event of inaccessibility of the master KDC. The number
257 of slave KDCs you need and the decision of where to place them, both
258 physically and logically, depend on the specifics of your network.
260 All of the Kerberos authentication on your network requires that each
261 client be able to contact a KDC. Therefore, you need to anticipate any
262 likely reason a KDC might be unavailable and have a slave KDC to take up
265 Some considerations include:
269 Have at least one slave KDC as a backup, for when the master KDC is
270 down, is being upgraded, or is otherwise unavailable.
273 If your network is split such that a network outage is likely to cause
274 some segment or segments of the network to become cut off or isolated,
275 have a slave KDC accessible to each segment.
278 If possible, have at least one slave KDC in a different building from
279 the master, in case of power outages, fires, or other localized
283 If you have a large and/or complex network, @value{COMPANY} will be
284 happy to work with you to determine the optimal number and placement of
287 @node Hostnames for the Master and Slave KDCs, Database Propagation, Slave KDCs, Realm Configuration Decisions
288 @section Hostnames for the Master and Slave KDCs
290 @value{COMPANY} recommends that your KDCs have a predefined set of
291 cnames, such as @code{@value{KDCSERVER}} for the master KDC and
292 @code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the
293 slave KDCs. This way, if you need to swap a machine, you only need to
294 change a DNS entry, rather than having to change hostnames.
296 @node Database Propagation, , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions
297 @section Database Propagation
299 The Kerberos database resides on the master KDC, and must be propagated
300 regularly (usually by a cron job) to the slave KDCs. In deciding how
301 frequently the propagation should happen, you will need to balance the
302 amount of time the propagation takes against the maximum reasonable
303 amount of time a user should have to wait for a password change to take
304 effect. @value{COMPANY} recommends that this be no longer than an hour.
306 If the propagation time is longer than this maximum reasonable time
307 (@i{e.g.,} you have a particularly large database, you have a lot of
308 slaves, and/or you experience frequent network delays), you may wish to
309 cut down on your propagation delay by performing the propagation in
310 parallel. To do this, have the master KDC propagate the database to one
311 set of slaves, and then have each of these slaves propagate the database
312 to additional slaves.
314 @node Building Kerberos V5, Installing Kerberos V5, Realm Configuration Decisions, Top
315 @chapter Building @value{PRODUCT}
317 @include build.texinfo
319 @node Installing Kerberos V5, Bug Reports for Kerberos V5, Building Kerberos V5, Top
320 @chapter Installing @value{PRODUCT}
322 The sections of this chapter describe procedures for installing
344 UNIX Application Servers
349 * Installing and Configuring UNIX Client Machines::
350 * UNIX Application Servers::
353 @node Installing KDCs, Installing and Configuring UNIX Client Machines, Installing Kerberos V5, Installing Kerberos V5
354 @section Installing KDCs
356 The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
357 contains a copy of the Kerberos database. The master KDC contains the
358 master copy of the database, which it propagates to the slave KDCs at
359 regular intervals. All database changes (such as password changes) are
360 made on the master KDC.
362 Slave KDCs provide Kerberos ticket-granting services, but not database
363 access. This allows clients to continue to obtain tickets when the
364 master KDC is unavailable.
366 @value{COMPANY}'s recommends that you install all of your KDCs to be
367 able to function as either the master or one of the slaves. This will
368 enable you to easily switch your master KDC with one of the slaves if
369 necessary. (@xref{Switching Master and Slave KDCs}.) This installation
370 procedure is based on that recommendation.
373 * Install the Master KDC::
374 * Install the Slave KDCs::
375 * Back on the Master KDC::
376 * Finish Installing the Slave KDCs::
377 * Add Kerberos Principals to the Database::
378 * Limit Access to the KDCs::
379 * Switching Master and Slave KDCs::
382 @node Install the Master KDC, Install the Slave KDCs, Installing KDCs, Installing KDCs
383 @subsection Install the Master KDC
385 This installation procedure will require you to go back and forth a
386 couple of times between the master KDC and each of the slave KDCs. The
387 first few steps must be done on the master KDC.
390 * Edit the Configuration Files::
391 * Create the Database::
392 * Add Administrators to the Acl File::
393 * Add Administrators to the Kerberos Database::
394 * Create a kadmind Keytab::
395 * Start the Kerberos Daemons::
398 @node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC
399 @subsubsection Edit the Configuration Files
401 Modify the configuration files, @code{/etc/krb5.conf}
402 (@pxref{krb5.conf}) and @code{@value{ROOTDIR}/lib/krb5kdc/kdc.conf}
403 (@pxref{kdc.conf}) to reflect the correct information (such as the
404 hostnames and realm name) for your realm. @value{COMPANY} recommends
405 that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf}
406 file may contain a pointer to @code{kdc.conf}, which you need to change
407 if you want to move @code{kdc.conf} to another location.
409 @node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC
410 @subsubsection Create the Database
412 You will use the @code{kdb5_util} command @emph{on the Master KDC} to
413 create the Kerberos database and the optional stash file. The
414 @dfn{stash file} is a local copy of the master key that resides in
415 encrypted form on the KDC's local disk. The stash file is used to
416 authenticate the KDC to itself automatically before starting the
417 @code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the
418 machine's boot sequence). The stash file, like the keytab file
419 (@xref{The Keytab File}) is a potential point-of-entry for a break-in,
420 and if compromised, would allow unrestricted access to the Kerberos
421 database. If you choose to install a stash file, it should be readable
422 only by root, and should exist only on the KDC's local disk. The file
423 should not be part of any backup of the machine, unless access to the
424 backup data is secured as tightly as access to the master password
427 Note that @code{kdb5_util} will prompt you for the master key for the
428 Kerberos database. This key can be any string. A good key is one you
429 can remember, but that no one else can guess. Examples of bad keys are
430 words that can be found in a dictionary, any common or popular name,
431 especially a famous person (or cartoon character), your username in any
432 form (@i{e.g.}, forward, backward, repeated twice, @i{etc.}), and any of
433 the sample keys that appear in this manual. One example of a key which
434 would be good if it did not appear in this manual is ``MITiys4K5!'',
435 which represents the sentence ``@value{COMPANY} is your source for
436 Kerberos 5!'' (It's the first letter of each word, substituting the
437 numeral ``4'' for the word ``for'', and includes the punctuation mark at
440 The following is an example of how to create a Kerberos database and
441 stash file on the master KDC, using the @code{kdb5_util} command. (The
442 line that begins with @result{} is a continuation of the previous line.)
443 Replace @i{@value{PRIMARYREALM}} with the name of your Kerberos realm.
447 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util create -r @value{PRIMARYREALM} -s
448 @b{kdb5_util: No such file or directory while setting active database to '/krb5/principal'
449 Initializing database '@value{ROOTDIR}/lib/krb5kdc/principal' for
450 @result{} realm '@value{PRIMARYREALM}',
451 master key name 'K/M@@@value{PRIMARYREALM}'
452 You will be prompted for the database Master Password.
453 It is important that you NOT FORGET this password.}
455 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the master password.}
456 @b{Re-enter KDC database master key to verify:} @i{@doubleleftarrow{} Type it again.}
459 @b{Enter KDC database master key:} @i{<= Type the master password.}
460 @b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
466 This will create five files in the directory specified in your
467 @code{kdc.conf} file: two Kerberos database files, @code{principal.db},
468 and @code{principal.ok}; the Kerberos administrative database file,
469 @code{principal.kadm5}; the administrative database lock file,
470 @code{principal.kadm5.lock}; and the stash file, @code{.k5stash}. (The
471 default directory is @code{@value{ROOTDIR}/lib/krb5kdc}.) If you do not
472 want a stash file, run the above command without the @code{-s} option.
474 @node Add Administrators to the Acl File, Add Administrators to the Kerberos Database, Create the Database, Install the Master KDC
475 @subsubsection Add Administrators to the Acl File
477 Next, you need create an Access Control List (acl) file, and put the
478 Kerberos principal of at least one of the administrators into it. The
479 filename should match the value you have set for ``acl_file'' in your
480 @code{kdc.conf} file. The default file name is @samp{kadm5.acl}. The
481 format of the file is:
484 Kerberos principal permissions optional target principal
487 The Kerberos principal (and optional target principal) can include the
488 ``@b{*}'' wildcard, so if you want any principal with the instance
489 ``admin'' to have full permissions on the database, you could use the
490 principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos
493 Note: a common use of an @i{admin} instance is so you can grant
494 separate permissions (such as administrator access to the Kerberos
495 database) to a separate Kerberos principal. For example, the user
496 @code{@value{ADMINUSER}} might have a principal for his administrative
497 use, called @code{@value{ADMINUSER}/admin}. This way,
498 @code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin}
499 tickets only when he actually needs to use those permissions. Refer to
500 the @value{PRODUCT} Administrator's Guide or the @value{PRODUCT} User's
501 Guide for more detailed explanations of @dfn{principals} and
504 The permissions (acls) recognized in the acl file
509 allows the addition of principals or policies in the database.
511 prohibits the addition of principals or policies in the database.
513 allows the deletion of principals or policies in the database.
515 prohibits the deletion of principals or policies in the database.
517 allows the modification of principals or policies in the database.
519 prohibits the modification of principals or policies in the database.
521 allows the changing of passwords for principals in the database.
523 prohibits the changing of passwords for principals in the database.
525 allows inquiries to the database.
527 prohibits inquiries to the database.
529 allows the listing of principals or policies in the database.
531 prohibits the listing of principals or policies in the database.
533 Short for all privileges (admcil).
535 Short for all privileges (admcil); identical to ``*''.
538 To give the principal @code{*/admin@@@value{PRIMARYREALM}} permission to
539 change all of the database permissions on any principal permissions, you
540 would place the following line in the file:
543 */admin@@@value{PRIMARYREALM} *
546 To give the principal @code{@value{ADMINUSER}@@@value{PRIMARYREALM}}
547 permission to add, list, and inquire about any principal that has the
548 instance ``root'', you would add the following line to the acl file:
551 @value{ADMINUSER}@@@value{PRIMARYREALM} ali */root@@@value{PRIMARYREALM}
554 @node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC
555 @subsubsection Add Administrators to the Kerberos Database
557 Next you need to add administrative principals to the Kerberos database.
558 (You must add at least one now.) To do this, use @code{kadmin.local}
559 @emph{on the master KDC}, as in the following example:
563 @b{shell%} @value{ROOTDIR}/sbin/kadmin.local
564 @b{kadmin.local:} addprinc admin/admin@@@value{PRIMARYREALM}
565 @b{WARNING: no policy specified for "admin/admin@@@value{PRIMARYREALM}";
566 defaulting to no policy.}
568 @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Enter a password.}
569 Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doubleleftarrow{} Type it again.}
572 @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.}
573 Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.}
575 @b{Principal "admin/admin@@@value{PRIMARYREALM}" created.
580 @node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
581 @subsubsection Create a kadmind Keytab
583 The kadmind keytab is the key that kadmind will use to decrypt
584 administrators' Kerberos tickets to determine whether or not it should
585 give them access to the database. You need to create the kadmin keytab
586 with entries for the principals @code{kadmin/admin} and
587 @code{kadmin/changepw}. (These principals are placed in the Kerberos
588 database automatically when you create it.) To create the kadmin
589 keytab, run @code{kadmin.local} and use the @code{ktadd} command, as in
590 the following example. (The line beginning with @result{} is a
591 continuation of the previous line.):
595 @b{shell%} @value{ROOTDIR}/sbin/kadmin.local
596 @b{kadmin.local:} ktadd -k @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab
597 @result{} kadmin/admin kadmin/changepw
598 @b{Entry for principal kadmin/admin@@@value{PRIMARYREALM} with
599 kvno 3, encryption type DES-CBC-CRC added to keytab
600 WRFILE:@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab.
601 Entry for principal kadmin/changepw@@@value{PRIMARYREALM} with
602 kvno 3, encryption type DES-CBC-CRC added to keytab
603 WRFILE:@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab.
610 As specified in the @samp{-k} argument, @code{ktadd} will save the
611 extracted keytab as @code{@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab}.
612 The filename you use must be the one specified in your @code{kdc.conf}
616 @node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC
617 @subsubsection Start the Kerberos Daemons on the Master KDC
619 At this point, you are ready to start the Kerberos daemons on the Master
623 @b{shell%} @value{ROOTDIR}/sbin/krb5kdc
624 @b{shell%} @value{ROOTDIR}/sbin/kadmind
628 Each daemon will fork and run in the background. Assuming you want
629 these daemons to start up automatically at boot time, you can add them
630 to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to
631 have a stash file in order to do this.
633 @node Install the Slave KDCs, Back on the Master KDC, Install the Master KDC, Installing KDCs
634 @subsection Install the Slave KDCs
636 You are now ready to start configuring the slave KDCs. Assuming you are
637 setting the KDCs up so that you can easily switch the master KDC with
638 one of the slaves, you should perform each of these steps on the master
639 KDC as well as the slave KDCs, unless these instructions specify
644 * Create Host Keys for the Slave KDCs::
645 * Extract Host Keytabs for the KDCs::
646 * Set Up the Slave KDCs for Database Propagation::
649 @node Create Host Keys for the Slave KDCs, Extract Host Keytabs for the KDCs, Install the Slave KDCs, Install the Slave KDCs
650 @subsubsection Create Host Keys for the Slave KDCs
652 Each KDC needs a host principal in the Kerberos database. You can enter
653 these from any host, once the @code{kadmind} daemon is running. For
654 example, if your master KDC were called
655 @value{KDCSERVER}.@value{PRIMARYDOMAIN}, and you had two KDC slaves
656 named @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} and
657 @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}, you would type the following:
661 @b{shell%} @value{ROOTDIR}/sbin/kadmin
662 @b{kadmin:} addprinc -randpass host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
663 @b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
664 defaulting to no policy.
665 Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
666 kadmin:} addprinc -randpass host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
667 @b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
668 defaulting to no policy.
669 Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.}
670 @b{kadmin:} addprinc -randpass host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
671 @b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
672 defaulting to no policy.
673 Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
679 It is not actually necessary to have the master KDC server in the
680 Kerberos database, but it can be handy if:
684 anyone will be logging into the machine as something other than root
687 you want to be able to swap the master KDC with one of the slaves if
691 @node Extract Host Keytabs for the KDCs, Set Up the Slave KDCs for Database Propagation, Create Host Keys for the Slave KDCs, Install the Slave KDCs
692 @subsubsection Extract Host Keytabs for the KDCs
694 Each KDC (including the master) needs a keytab to decrypt tickets.
695 Ideally, you should extract each keytab locally on its own KDC. If this
696 is not feasible, you should use an encrypted session to send them across
697 the network. To extract a keytab on a KDC called
698 @value{KDCSERVER}.@value{PRIMARYDOMAIN}, you would execute the following
703 @b{kadmin:} ktadd host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
704 @b{kadmin: Entry for principal host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
705 kvno 1, encryption type DES-CBC-CRC added to keytab
706 WRFILE:/etc/v5srvtab.
712 Note that the principal must exist in the Kerberos database in order to
715 @node Set Up the Slave KDCs for Database Propagation, , Extract Host Keytabs for the KDCs, Install the Slave KDCs
716 @subsubsection Set Up the Slave KDCs for Database Propagation
718 The database is propagated from the master KDC to the slave KDCs via the
719 @code{kpropd} daemon. To set up propagation, create a file on each KDC,
720 named @code{@value{ROOTDIR}/lib/krb5kdc/kpropd.acl}, containing the
721 principals for each of the KDCs.
723 For example, if the master KDC were
724 @code{@value{KDCSERVER}.@value{PRIMARYDOMAIN}}, the slave KDCs were
725 @code{@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}} and
726 @code{@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}}, and the realm were
727 @code{@value{PRIMARYREALM}}, then the file's contents would be:
731 host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
732 host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
733 host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
738 Then, add the following lines to @code{/etc/inetd.conf} file on each KDC
739 (the line beginnng with @result{} is a continuation of the previous
744 krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
745 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
746 @result{} klogind -k -c -e
751 The first line sets up the @code{kpropd} database propagation daemon.
752 The second line sets up the @code{eklogin} daemon, allowing
753 Kerberos-authenticated, encrypted rlogin to the KDC.
755 You also need to add the following lines to @code{/etc/services} on each
760 kerberos 88/udp kdc # Kerberos authentication (udp)
761 kerberos 88/tcp kdc # Kerberos authentication (tcp)
762 krb5_prop 754/tcp # Kerberos slave propagation
763 kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
764 kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
765 eklogin 2105/tcp # Kerberos encrypted rlogin
769 @node Back on the Master KDC, Finish Installing the Slave KDCs, Install the Slave KDCs, Installing KDCs
770 @subsection Back on the Master KDC
772 Now that the slave KDCs are able to accept database propagation, you'll
773 need to propagate the database to each of them.
776 * Propagate the Database to Each Slave KDC::
779 @node Propagate the Database to Each Slave KDC, , Back on the Master KDC, Back on the Master KDC
780 @subsubsection Propagate the Database to Each Slave KDC
782 First, create a dump of the database on the master KDC, as follows:
786 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util dump @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
791 Next, you need to manually propagate the database to each slave KDC, as
792 in the following example. (The lines beginning with @result{} are
793 continuations of the previous line.):
797 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
798 @result{} @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
799 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
800 @result{} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
804 You will need a script to dump and propagate the database. The
805 following is an example of a bourne shell script that will do this.
806 (Note that the line that begins with @result{} is a continuation of the
807 previous line. Remember that you need to replace @value{ROOTDIR} with
808 the name of the directory in which you installed @value{PRODUCT}.)
814 kdclist = "@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}"
816 @value{ROOTDIR}/sbin/kdb5_util -R "dump
817 @result{} @value{ROOTDIR}/lib/krb5kdc/slave_datatrans"
821 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans $kdc
827 You will need to set up a cron job to run this script at the intervals
828 you decided on earlier (@xref{Database Propagation}.)
830 @node Finish Installing the Slave KDCs, Add Kerberos Principals to the Database, Back on the Master KDC, Installing KDCs
831 @subsection Finish Installing the Slave KDCs
833 Now that the slave KDCs have copies of the Kerberos database, you can
834 create stash files for them and start the @code{krb5kdc} daemon.
837 * Create Stash Files on the Slave KDCs::
838 * Start the krb5kdc Daemon on Each KDC::
841 @node Create Stash Files on the Slave KDCs, Start the krb5kdc Daemon on Each KDC, Finish Installing the Slave KDCs, Finish Installing the Slave KDCs
842 @subsubsection Create Stash Files on the Slave KDCs
844 Create stash files, by issuing the following commands on each slave KDC:
848 @b{shell%} kdb5_util stash
849 @b{kdb5_util: Cannot find/read stored master key while reading master key
850 kdb5_util: Warning: proceeding without master key}
852 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Enter the database master key.}
855 @b{Enter KDC database master key:} @i{<= Enter the database master key.}
861 As mentioned above, the stash file is necessary for your KDCs to be able
862 authenticate to themselves, such as when they reboot. You could run
863 your KDCs without stash files, but you would then need to type in the
864 Kerberos database master key by hand every time you start a KDC daemon.
866 @node Start the krb5kdc Daemon on Each KDC, , Create Stash Files on the Slave KDCs, Finish Installing the Slave KDCs
867 @subsubsection Start the krb5kdc Daemon on Each KDC
869 The final step in configuing your slave KDCs is to run the KDC daemon:
873 @b{shell%} @value{ROOTDIR}/sbin/krb5kdc
877 As with the master KDC, you will probably want to add this command to
878 the KDCs' @code{/etc/rc} or @code{/etc/inittab} files, so they will
879 start the krb5kdc daemon automatically at boot time.
881 @node Add Kerberos Principals to the Database, Limit Access to the KDCs, Finish Installing the Slave KDCs, Installing KDCs
882 @subsection Add Kerberos Principals to the Database
885 Once your KDCs are set up and running, you are ready to use
886 @code{kadmin} to load principals for your users, hosts, and other
887 services into the Kerberos database. This procedure is described fully in the
888 ``Adding or Modifying Principals'' section of the @value{PRODUCT} System
889 Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs} for a
890 brief description.) The keytab is generated by running @code{kadmin}
891 and issuing the @code{ktadd} command.
893 @node Limit Access to the KDCs, Switching Master and Slave KDCs, Add Kerberos Principals to the Database, Installing KDCs
894 @subsection Limit Access to the KDCs
896 To limit the possibility that your Kerberos database could be
897 compromised, @value{COMPANY} recommends that each KDC be a dedicated
898 host, with limited access. If your KDC is also a file server, FTP
899 server, Web server, or even just a client machine, someone who obtained
900 root access through a security hole in any of those areas could gain
901 access to the Kerberos database.
904 @value{COMPANY} recommends that your KDCs use the following
905 @code{/etc/inetd.conf} file. (Note: each line beginning with @result{}
906 is a continuation of the previous line.):
911 # Configuration file for inetd(1M). See inetd.conf(4).
913 # To re-configure the running inetd process, edit this file, then
914 # send the inetd process a SIGHUP.
916 # Syntax for socket-based Internet services:
917 # <service_name> <socket_type> <proto> <flags> <user>
918 @result{} <server_pathname> <args>
920 # Syntax for TLI-based Internet services:
922 # <service_name> tli <proto> <flags> <user> <server_pathname> <args>
924 # Ftp and telnet are standard Internet services.
926 # This machine is a secure Kerberos Key Distribution Center (KDC).
927 # Services are limited.
930 # Time service is used for clock synchronization.
932 time stream tcp nowait root internal
933 time dgram udp wait root internal
935 # Limited Kerberos services
937 krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
938 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
939 @result{} klogind -k -c -e
943 @node Switching Master and Slave KDCs, , Limit Access to the KDCs, Installing KDCs
944 @subsection Switching Master and Slave KDCs
946 You may occasionally want to use one of your slave KDCs as the master.
947 This might happen if you are upgrading the master KDC, or if your master
948 KDC has a disk crash.
950 Assuming you have configured all of your KDCs to be able to function as
951 either the master KDC or a slave KDC (as this document recommends), all
952 you need to do to make the changeover is:
954 If the master KDC is still running, do the following on the @emph{old}
959 Kill the @code{kadmind} process.
962 Disable the cron job that propagates the database.
965 Run your database propagation script manually, to ensure that the slaves
966 all have the latest copy of the database. (@xref{Propagate the Database
970 On the @emph{new} master KDC:
974 Create a database keytab. (@xref{Create a kadmind Keytab}.)
977 Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.)
980 Set up the cron job to propagate the database. (@xref{Propagate the
981 Database to Each Slave KDC}.)
984 Switch the cnames of the old and new master KDCs. (If you don't do
985 this, you'll need to change the @code{krb5.conf} file on every client
986 machine in your Kerberos realm.)
989 @node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5
990 @section Installing and Configuring UNIX Client Machines
992 Client machine installation is much more straightforward than
993 installation of the KDCs.
997 * Client Machine Configuration Files::
1000 @node Client Programs, Client Machine Configuration Files, Installing and Configuring UNIX Client Machines, Installing and Configuring UNIX Client Machines
1001 @subsection Client Programs
1003 The Kerberized client programs are @code{login.krb5}, @code{rlogin},
1004 @code{telnet}, @code{ftp}, @code{rcp}, @code{rsh}, @code{kinit},
1005 @code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ksu}, and
1006 @code{krb524init}. All of these programs are in the directory
1007 @code{@value{ROOTDIR}/bin}, except for @code{login.krb5} which is in
1008 @code{@value{ROOTDIR}/sbin}.
1010 You will probably want to have your users put @code{@value{ROOTDIR}/bin}
1011 ahead of @code{/bin} and @code{/usr/bin} in their paths, so they will by
1012 default get the @value{PRODUCT} versions of @code{rlogin},
1013 @code{telnet}, @code{ftp}, @code{rcp}, and @code{rsh}.
1015 @value{COMPANY} recommends that you use @code{login.krb5} in place of
1016 @code{/bin/login} to give your users a single-sign-on system. You will
1017 need to make sure your users know to use their Kerberos passwords when
1020 You will also need to educate your users to use the ticket management
1021 programs @code{kinit},
1022 @c @code{krb524init},
1023 @code{klist}, @code{kdestroy}, and to use the Kerberos programs
1025 @code{ksu}, and @code{kpasswd} in place of their non-Kerberos
1028 @code{su}, @code{passwd}, and @code{rdist}.
1030 @node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines
1031 @subsection Client Machine Configuration Files
1033 Each machine running Kerberos must have a @code{/etc/krb5.conf} file.
1037 Also, you must add the appropriate Kerberos services to each client
1038 machine's @code{/etc/services} file. If you are using the default
1039 configuration for @value{PRODUCT}, you should be able to just insert the
1045 # Note --- if you are using Kerberos V4 and you either:
1047 # (a) haven't converted all your master or slave KDCs to V5, or
1049 # (b) are worried about inter-realm interoperability with other KDC's
1050 # that are still using V4
1052 # you will need to switch the "kerberos" service to port 750 and create a
1053 # "kerberos-sec" service on port 88.
1055 kerberos 88/udp kdc # Kerberos V5 KDC
1056 kerberos 88/tcp kdc # Kerberos V5 KDC
1057 klogin 543/tcp # Kerberos authenticated rlogin
1058 kshell 544/tcp cmd # and remote shell
1059 kerberos-adm 749/tcp # Kerberos 5 admin/changepw
1060 kerberos-adm 749/udp # Kerberos 5 admin/changepw
1061 krb5_prop 754/tcp # Kerberos slave propagation
1062 @c kpop 1109/tcp # Pop with Kerberos
1063 eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
1064 krb524 4444/tcp # Kerberos 5 to 4 ticket translator
1068 @noindent As described in the comments in the above code, if your master
1069 KDC or any of your slave KDCs is running Kerberos V4, (or if you will be
1070 authenticating to any Kerberos V4 KDCs in another realm) you will need
1071 to switch the port number for @code{kerberos} to 750 and create a
1072 @code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos
1073 V4 KDC(s) will continue to work properly.
1075 @node UNIX Application Servers, , Installing and Configuring UNIX Client Machines, Installing Kerberos V5
1076 @section UNIX Application Servers
1078 An application server is a host that provides one or more services over
1079 the network. Application servers can be ``secure'' or ``insecure.'' A
1080 ``secure'' host is set up to require authentication from every client
1081 connecting to it. An ``insecure'' host will still provide Kerberos
1082 authentication, but will also allow unauthenticated clients to connect.
1084 If you have @value{PRODUCT} installed on all of your client machines,
1085 @value{COMPANY} recommends that you make your hosts secure, to take
1086 advantage of the security that Kerberos authentication affords.
1087 However, if you have some clients that do not have @value{PRODUCT}
1088 installed, you can run an insecure server, and still take advantage of
1089 @value{PRODUCT}'s single sign-on on capability.
1093 * Server Configuration Files::
1095 * Some Advice about Secure Hosts::
1098 @node Server Programs, Server Configuration Files, UNIX Application Servers, UNIX Application Servers
1099 @subsection Server Programs
1101 Just as @value{PRODUCT} provided its own Kerberos-enhanced versions of
1102 client UNIX network programs, @value{PRODUCT} also provides
1103 Kerberos-enhanced versions of server UNIX network daemons. These are
1104 @code{ftpd}, @code{klogind}, @code{kshd}, and @code{telnetd}.
1106 These programs are installed in the directory
1107 @code{@value{ROOTDIR}/sbin}. You may want to add this directory to
1110 @node Server Configuration Files, The Keytab File, Server Programs, UNIX Application Servers
1111 @subsection Server Configuration Files
1113 For a @emph{secure} server, make the following changes to
1114 @code{/etc/inetd.conf}:
1116 Find and comment out any lines for the services @code{ftp},
1117 @code{telnet}, @code{shell}, @code{login}, and @code{exec}.
1120 Add the following lines. (Note: each line beginning with @result{} is
1121 a continuation of the previous line.)
1125 klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1126 @result{} klogind -k -c
1127 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1128 @result{} klogind -k -c -e
1129 kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
1130 @result{} kshd -k -c -A
1131 ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
1133 telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
1134 @result{} telnetd -a valid
1138 For an @emph{insecure} server, make the following changes instead to
1139 @code{/etc/inetd.conf}:
1142 Find and comment out any lines for the services @code{ftp} and
1145 Add the following lines. (Note: each line beginning with @result{} is
1146 a continuation of the previous line.)
1149 klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1150 @result{} klogind -k -c
1151 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1152 @result{} klogind -k -c -e
1153 kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
1154 @result{} kshd -k -c -A
1155 ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
1157 telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
1158 @result{} telnetd -a none
1162 @node The Keytab File, Some Advice about Secure Hosts, Server Configuration Files, UNIX Application Servers
1163 @subsection The Keytab File
1165 All Kerberos server machines need a @dfn{keytab} file, called
1166 @code{/etc/v5srvtab},@footnote{The keytab was called a @dfn{srvtab} in
1167 Kerberos V4. The @code{v5srvtab} file has not been renamed to reflect
1168 the change in terminology.} to authenticate to the KDC. The keytab file
1169 is an encrypted, local, on-disk copy of the host's key. The keytab
1170 file, like the stash file (@ref{Create the Database}) is a potential
1171 point-of-entry for a break-in, and if compromised, would allow
1172 unrestricted access to its host. The keytab file should be readable
1173 only by root, and should exist only on the machine's local disk. The
1174 file should not be part of any backup of the machine, unless access to
1175 the backup data is secured as tightly as access to the machine's root
1178 In order to generate a keytab for a host, the host must have a principal
1179 in the Kerberos database. The procedure for adding hosts to the
1180 database is described fully in the ``Adding or Modifying Principals''
1181 section of the @cite{@value{PRODUCT} System Administrator's Guide}.
1182 @xref{Create Host Keys for the Slave KDCs} for a brief description.)
1183 The keytab is generated by running @code{kadmin} and issuing the
1184 @code{ktadd} command.
1187 For example, to generate a keytab file to allow the host
1188 trillium.@value{PRIMARYDOMAIN} to authenticate for the services
1189 @code{host}, @code{ftp}, and @code{pop}, the administrator
1190 @code{@value{ADMINUSER}} would issue the command (on
1191 trillium.@value{PRIMARYDOMAIN}):
1195 @b{trillium%} @value{ROOTDIR}/sbin/kadmin
1196 @b{kadmin5:} ktadd host/trillium.@value{PRIMARYDOMAIN} ftp/trillium.@value{PRIMARYDOMAIN}
1197 @result{} pop/trillium.@value{PRIMARYDOMAIN}
1198 @b{kadmin: Entry for principal host/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1199 kvno 3, encryption type DES-CBC-CRC added to keytab
1200 WRFILE:/etc/v5srvtab.
1201 kadmin: Entry for principal ftp/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1202 kvno 3, encryption type DES-CBC-CRC added to keytab
1203 WRFILE:/etc/v5srvtab.
1204 kadmin: Entry for principal pop/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1205 kvno 3, encryption type DES-CBC-CRC added to keytab
1206 WRFILE:/etc/v5srvtab.
1212 If you generate the keytab file on another host, you need to get a copy
1213 of the keytab file onto the destination host (@code{trillium}, in the
1214 above example) without sending it unencrypted over the network. If you
1215 have installed the @value{PRODUCT} client programs, you can use
1216 encrypted @code{rcp}.
1218 @node Some Advice about Secure Hosts, , The Keytab File, UNIX Application Servers
1219 @subsection Some Advice about Secure Hosts
1221 @value{PRODUCT} can protect your host from certain types of break-ins,
1222 but it is possible to install @value{PRODUCT} and still leave your host
1223 vulnerable to attack. Obviously an installation guide is not the place
1224 to try to include an exhaustive list of countermeasures for every
1225 possible attack, but it is worth noting some of the larger holes and how
1228 As stated earlier in this section, @value{COMPANY} recommends that on a
1229 secure host, you disable the standard @code{ftp}, @code{login},
1230 @code{telnet}, @code{shell}, and @code{exec} services in
1231 @code{/etc/services}. We also recommend that secure hosts have an empty
1232 @code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file
1233 in @code{root}'s home directory. You can grant Kerberos-authenticated
1234 root access to specific Kerberos principals by placing those principals
1235 in the file @code{.k5login} in root's home directory.
1237 We recommend that backups of secure machines exclude the keytab file
1238 (@code{/etc/v5srvtab}). If this is not possible, the backups should at
1239 least be done locally, rather than over a network, and the backup tapes
1240 should be physically secured.
1242 Finally, the keytab file and any programs run by root, including the
1243 @value{PRODUCT} binaries, should be kept on local disk. The keytab file
1244 should be readable only by root.
1246 @node Bug Reports for Kerberos V5, Files, Installing Kerberos V5, Top
1247 @chapter Bug Reports for @value{PRODUCT}
1248 @include bug-report.texinfo
1250 @node Files, , Bug Reports for Kerberos V5, Top
1258 @node krb5.conf, kdc.conf, Files, Files
1259 @appendixsec krb5.conf
1261 Here is an example of a generic @code{krb5.conf} file:
1266 ticket_lifetime = 600
1267 default_realm = @value{PRIMARYREALM}
1268 default_tkt_enctypes = des-cbc-crc
1269 default_tgs_enctypes = des-cbc-crc
1272 @value{PRIMARYREALM} = @{
1273 kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88
1274 kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88
1275 kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88
1276 admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749
1277 default_domain = @value{PRIMARYDOMAIN}
1281 .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
1282 @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
1286 For the KDCs, add a section onto the end of the @code{krb5.conf} file
1287 telling where the @code{kdc.conf} file is located, as in the following
1293 profile = @value{ROOTDIR}/lib/krb5kdc/kdc.conf
1296 kdc = FILE:/dev/ttyp9
1297 admin_server = FILE:/dev/ttyp9
1298 default = FILE:/dev/ttyp9
1307 @node kdc.conf, , krb5.conf, Files
1308 @appendixsec kdc.conf
1310 Here's an example of a generic kdc.conf file:
1318 @value{PRIMARYREALM} = @{
1319 profile = /etc/krb5.conf
1320 database_name = @value{ROOTDIR}/lib/krb5kdc/principal
1321 admin_database_name = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5
1322 admin_database_lockfile = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5.lock
1323 admin_keytab = @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab
1324 acl_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.acl
1325 dict_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.dict
1326 key_stash_file = @value{ROOTDIR}/lib/krb5kdc/.k5.@value{PRIMARYREALM}
1328 max_life = 10h 0m 0s
1329 max_renewable_life = 7d 0h 0m 0s
1330 master_key_type = des-cbc-crc
1331 supported_enctypes = des-cbc-crc:normal
1336 To add Kerberos V4 support, change the @code{supported_enctypes} line to:
1339 supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
1343 * Encryption Types and Salt Types::
1346 @node Encryption Types and Salt Types, , kdc.conf, kdc.conf
1347 @appendixsubsec Encryption Types and Salt Types
1349 Currently, @value{PRODUCT} supports only DES encryption. The encoding
1350 type is @code{des-cbc-crc}. The @dfn{salt} is additional information
1351 encoded within the key that tells what kind of key it is. The only
1352 salts that you will be likely to encounter are:
1355 @item @dfn{normal}, which @value{COMPANY} recommends using for all of
1356 your @value{PRODUCT} keys
1358 @item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
1360 @item @dfn{afs}, which you will never need to generate, and which you will
1361 encounter only if you dump an AFS database into a Kerberos database
1364 Support for additional encryption types is planned in the future.