From 0071e97edc0d4daa7fc3cf2b46cbdfe823072e55 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Fri, 23 Jun 2000 22:38:21 +0000 Subject: [PATCH] merge from krb5-1-2-beta4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12425 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/ChangeLog | 58 +++++++++++ doc/admin.texinfo | 134 +++++++++++++++++------- doc/build.texinfo | 43 ++++++-- doc/copyright.texinfo | 2 +- doc/definitions.texinfo | 4 +- doc/install.texinfo | 223 ++++++++++++++++++++++++++++++++++------ doc/krb425.texinfo | 8 ++ doc/send-pr.texinfo | 6 +- 8 files changed, 394 insertions(+), 84 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 38af2b888..a156febe4 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,61 @@ +2000-06-16 Ken Raeburn + + * admin.texinfo: Update descriptions to indicate full support for + des3. Describe new DNS-related libdefaults tags for krb5.conf. + + * build.texinfo (Options to Configure): Fix @item labels. + + * install.texinfo: Update descriptions to indicate full support + for des3, and describe "v4" salt as being useful only with + des-cbc-crc. + +2000-06-15 Tom Yu + + * admin.texinfo: Note in multiple places that the current default + dump format doesn't include the per-principal policy information, + and some means of working around this problem. + + * install.texinfo (Switching Master and Slave KDCs): Note that + in the process of swapping KDCs, it is necessary to do a ov format + dump in order to preserve per-principal policy information. + +2000-06-13 Tom Yu + + * install.texinfo (Upgrading Existing Kerberos V5 Installations): + Add info describing how to preserve policy information while + upgrading. Also needs to go into other sections, possibly. + +2000-06-13 Ken Raeburn + + * build.texinfo: Enter correct xref info for DNS data + descriptions. Fix up text around some xrefs. + * install.texinfo: Describe SRV and TXT DNS records. Fix up text + around some xrefs. + +2000-06-09 Tom Yu + + * admin.texinfo: Add descriptions of the kadmin {ank,cpw,ktadd} -e + flag. + +2000-06-06 Ken Raeburn + + * install.texinfo: Describe new DNS support, and 3DES upgrade + path. Update "enctypes" config file sample lines. + + * build.texinfo: No kpasswd directory. Describe new configure + options. + + * send-pr.texinfo: Suggest caution regarding tab expansion for + patches. + +2000-06-02 Ken Raeburn + + * definitions.texinfo: Update for 1.2 release. + +2000-05-31 Ken Raeburn + + * krb425.texinfo (libdefaults): Add description of v4_realm. + 1999-09-22 Tom Yu * copyright.texinfo: Update copyright again. diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 2ea716b25..e60360abc 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -429,7 +429,8 @@ your Kerberos realm. @itemx default_tgs_enctypes Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or -whitespace. Currently, the only supported encryption type is +whitespace. Currently, the supported encryption types are +"des3-hmac-sha1" and "des-cbc-crc". Support for other encryption types is planned in the future. @@ -437,7 +438,7 @@ future. Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for @emph{default_tkt_enctypes}. Again, the only supported encryption -type is "des-cbc-crc". +types are "des3-hmac-sha1" and "des-cbc-crc". @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the @@ -456,6 +457,50 @@ of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. + +@itemx dns_lookup_kdc +Indicate whether DNS SRV records should be used to locate the KDCs and +other servers for a realm, if they are not listed in the information for +the realm. (Note that the @samp{admin_server} entry must be in the +file, because the DNS implementation for it is incomplete.) + +Enabling this option does open up a type of denial-of-service attack, if +someone spoofs the DNS records and redirects you to another server. +However, it's no worse than a denial of service, because that fake KDC +will be unable to decode anything you send it (besides the initial +ticket request, which has no encrypted data), and anything the fake KDC +sends will not be trusted without verification using some secret that it +won't know. + +If this option is not specified but @samp{dns_fallback} is, that value +will be used instead. If neither option is specified, the behavior +depends on configure-time options; if none were given, the default is to +enable this option. If the DNS support is not compiled in, this entry +has no effect. + +@itemx dns_lookup_realm +Indicate whether DNS TXT records should be used to determine the +Kerberos realm of a host. + +Enabling this option may permit a redirection attack, where spoofed DNS +replies persuade a client to authenticate to the wrong realm, when +talking to the wrong host (either by spoofing yet more DNS records or by +intercepting the net traffic). Depending on how the client software +manages hostnames, however, it could already be vulnerable to such +attacks. We are looking at possible ways to minimize or eliminate this +exposure. For now, we encourage more adventurous sites to try using +Secure DNS. + +If this option is not specified but @samp{dns_fallback} is, that value +will be used instead. If neither option is specified, the behavior +depends on configure-time options; if none were given, the default is to +disable this option. If the DNS support is not compiled in, this entry +has no effect. + +@itemx dns_fallback +General flag controlling the use of DNS for Kerberos information. If +both of the preceding options are specified, this option has no effect. + @end table @node appdefaults, realms (krb5.conf), libdefaults, krb5.conf @@ -724,8 +769,8 @@ Here is an example of a generic @code{krb5.conf} file: [libdefaults] ticket_lifetime = 600 default_realm = @value{PRIMARYREALM} - default_tkt_enctypes = des-cbc-crc - default_tgs_enctypes = des-cbc-crc + default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] @value{PRIMARYREALM} = @{ @@ -858,8 +903,9 @@ this realm. By default, the value of kdc_ports as specified in the (String.) Specifies the name of the master key. @itemx master_key_type -(Key type string.) Specifies the master key's key type. Only -"des-cbc-crc" is supported at this time. +(Key type string.) Specifies the master key's key type. Either +"des3-hmac-sha1" or +"des-cbc-crc" may be used at this time. @itemx max_life (Delta time string.) Specifes the maximum time period for which a @@ -872,23 +918,15 @@ valid ticket may be renewed in this realm. @itemx supported_enctypes List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through -@code{kadmin} will have keys of these types. Since only the encryption -type "des-cbc-crc" is supported, you should set this tag to -@samp{des-cbc-crc:normal des-cbc-crc:v4}. +@code{kadmin} will have keys of these types. If you do not yet wish to +enable triple-DES support, you should set this tag to +@samp{des-cbc-crc:normal des-cbc-crc:v4}; otherwise, put +@samp{des3-hmac-sha1:normal} at the beginning of the list. @itemx kdc_supported_enctypes List of key:salt strings. Specifies the permitted key/salt combinations of principals for this realm. You should set this tag to -@samp{des-cbc-crc:normal des-cbc-crc:v4}. - -@b{Note:} You may also use @samp{des3-cbc-sha1:normal} before -@samp{des-cbc-crc:normal} if you wish to support triple-DES service keys -in addition to DES service keys. In order to create such service keys, -you must use the @code{-e} option to @code{kadmin.local}, running on the -KDC system itself; the remote @code{kadmin} client does not allow this -option. We do not currently support the use of triple-DES keys anywhere -other than for service keys. - +@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}. @end table @@ -907,9 +945,9 @@ Here's an example of a @code{kdc.conf} file: kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s - master_key_type = des-cbc-crc - supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 - kdc_supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 + master_key_type = des3-hmac-sha1 + supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 + kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 @} [logging] @@ -1011,11 +1049,8 @@ scripts that pass specific queries to @code{kadmin}. @b{(For @code{kadmin.local} only.)} Sets the list of cryptosystem and salt types to be used for any new keys created. Available types include @samp{des3-cbc-sha1:normal}, -@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}. In this release, -the @samp{des3-cbc-sha1:normal} type should only be used when -registering service principals; for any services that may request -tickets themselves to initiate some action, it should be combined with -one or more of the other types. +@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}. + @end table @node Date Format, Principals, Kadmin Options, Administrating Kerberos Database Entries @@ -1408,16 +1443,18 @@ Removes the policy @i{policyname} from the principal @item -randkey Sets the key for the principal to a random value (@code{add_principal} -only). @value{COMPANY} recommends using this option for host keys. You -may also wish to use the @b{kadmin.local} command-line options @b{-e -"des3-cbc-sha1:normal des-cbc-crc:normal"}@xref{Kadmin Options} on the -KDC machine itself for host keys and other service keys that are -security-critical. +only). @value{COMPANY} recommends using this option for host keys. @item -pw @i{password} Sets the key of the principal to the specified string and does not prompt for a password (@code{add_principal} only). @value{COMPANY} does not recommend using this option. + +@item -e @i{enc:salt...} +Uses the specified list of enctype-salttype pairs for setting the key of +the principal. The quotes are necessary if there are multiple +enctype-salttype pairs. This will not function against kadmin daemons +earlier than krb5-1.2. @end table If you want to just use the default values, all you need to do is: @@ -1529,6 +1566,12 @@ Sets the key of the principal to a random value. @item @b{-pw} @i{password} Sets the password to the string @i{password}. @value{COMPANY} does not recommend using this option. + +@item @b{-e} @i{"enc:salt..."} +Uses the specified list of enctype-salttype pairs for setting the key of +the principal. The quotes are necessary if there are multiple +enctype-salttype pairs. This will not function against kadmin daemons +earlier than krb5-1.2. @end table For example: @@ -1759,7 +1802,9 @@ causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format causes the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit load_dump version 3.0''). @itemx -ov -causes the dump to be in ovsec_adm_export format. +causes the dump to be in ovsec_adm_export format. Currently, the only +way to preserve per-principal policy information is to use this in +conjunction with a normal dump. @itemx -verbose causes the name of each principal and policy to be printed as it is dumped. @@ -1816,6 +1861,12 @@ not be dumped: If you do not specify a dump file, @code{kdb5_util} will dump the database to the standard output. +There is currently a bug where the default dump format omits the +per-principal policy information. In order to dump all the data +contained in the Kerberos database, you must perform a normal dump (with +no option flags) and an additional dump using the ``-ov'' flag to a +different file. + @node Restoring a Kerberos Database from a Dump File, Creating a Stash File, Dumping a Kerberos Database to a File, Administrating Kerberos Database Entries @section Restoring a Kerberos Database from a Dump File @@ -1844,7 +1895,10 @@ causes the name of each principal and policy to be printed as it is dumped. @itemx -update causes records from the dump file to be updated in or added to the -existing database. +existing database. This is useful in conjunction with an +ovsec_adm_export format dump if you want to preserve per-principal +policy information, since the current default format does not contain +this data. @end table For example: @@ -2001,6 +2055,12 @@ The @code{ktadd} command takes the following switches: use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the default keytab file (@code{/etc/krb5.keytab}). +@item @b{-e} @i{"enc:salt..."} +Uses the specified list of enctype-salttype pairs for setting the key of +the principal. The quotes are necessary if there are multiple +enctype-salttype pairs. This will not function against kadmin daemons +earlier than krb5-1.2. + @item -q run in quiet mode. This causes @code{ktadd} to display less verbose information. @@ -2012,8 +2072,9 @@ for the kadmin @code{list_principals} (@pxref{Retrieving a List of Principals}) command. @end table -For example (The line beginning with @result{} is a continuation of the -previous line.): +Here is a sample session, using configuration files that enable only +@samp{des-cbc-crc} encryption. (The line beginning with @result{} is a +continuation of the previous line.) @smallexample @group @@ -2551,7 +2612,6 @@ KRB5PLACEHOLD_110: KRB5 error code 110 @item KRB5PLACEHOLD_111: KRB5 error code 111 @item -+ KRB5PLACEHOLD_112: KRB5 error code 112 @item KRB5PLACEHOLD_113: KRB5 error code 113 diff --git a/doc/build.texinfo b/doc/build.texinfo index 78aa8b450..fa83acbea 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -59,8 +59,8 @@ only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for -each platform. We recommend that you look at see @ref{OS -Incompatibilities} for notes that we have on particular operating +each platform. We recommend that you look at @ref{OS +Incompatibilities}, for notes that we have on particular operating systems. @menu @@ -200,7 +200,7 @@ libraries to be available during compilation and some of the tests also require Perl in order to operate. If all of these resources are not available during configuration, the KADM5 tests will not run. The TCL installation directory can be specified with the @code{--with-tcl} -configure option (see @xref{Options to Configure}). The runtest and +configure option. (See @xref{Options to Configure}.) The runtest and perl programs must be in the current execution path. If you install DejaGnu, TCL, or Perl after configuring and building @@ -208,7 +208,7 @@ Kerberos and then want to run the KADM5 tests, you will need to re-configure the tree and run @code{make} at the top level again to make sure all the proper programs are built. To save time, you actually only need to reconfigure and build in the directories src/kadmin/testing, -src/lib/rpc, src/lib/kadm5, and src/kpasswd. +src/lib/rpc, src/lib/kadm5. @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5 @section Options to Configure @@ -301,12 +301,6 @@ default, Kerberos V5 configuration will look for @code{-lnsl} and (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in @file{src/tests/resolv} you will need to use this option. -@item --enable-shared - -This option will turn on the building and use of shared library objects -in the Kerberos build. This option is only supported on certain -platforms. - @item --with-vague-errors If enabled, gives vague and unhelpful error messages to the client... er, @@ -329,10 +323,33 @@ Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl header file (@file{TCLPATH/include/tcl.h} as well as where the Tcl library should be found (@file{TCLPATH/lib}). +@item --enable-shared + +This option will turn on the building and use of shared library objects +in the Kerberos build. This option is only supported on certain +platforms. + +@item --enable-dns +@item --enable-dns-for-kdc +@item --enable-dns-for-realm + +Enable the use of DNS to look up a host's Kerberos realm, or a realm's +KDCs, if the information is not provided in krb5.conf. See +@xref{Hostnames for the Master and Slave KDCs}, and @xref{Mapping +Hostnames onto Kerberos Realms}. By default, DNS lookups are enabled +for the latter but not for the former. + +@item --enable-kdc-replay-cache + +Enable a cache in the KDC to detect retransmitted messages, and resend +the previous responses to them. This protects against certain types of +attempts to extract information from the KDC through some of the +hardware preauthentication systems. + @end table For example, in order to configure Kerberos on a Solaris machine using -the @samp{suncc} with the optimizer turned on, run the configure +the @samp{suncc} compiler with the optimizer turned on, run the configure script with the following options: @example @@ -465,6 +482,10 @@ was never a problem in using GCC version 2.6.3. In version 3.2 and beyond of the operating system, we have not seen any problems with the native compiler. +@c @node Alpha Tru64 UNIX 5.0 +@c @subsection Alpha Tru64 UNIX 5.0 +@c ... login.krb5 problems + @node BSDI, HPUX, Alpha OSF/1 (Digital Unix) V2.0++, OS Incompatibilities @subsection BSDI diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo index 7ea4758e2..83fe7ef65 100644 --- a/doc/copyright.texinfo +++ b/doc/copyright.texinfo @@ -1,4 +1,4 @@ -Copyright @copyright{} 1985-1999 by the Massachusetts Institute of Technology. +Copyright @copyright{} 1985-2000 by the Massachusetts Institute of Technology. @quotation Export of software employing encryption from the United States of diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 079809d2c..5a5b37cbf 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -19,8 +19,8 @@ @set RANDOMUSER johndoe @set RANDOMUSER1 jennifer @set RANDOMUSER2 david -@set RELEASE 1.1 -@set PREVRELEASE 1.0 +@set RELEASE 1.2 +@set PREVRELEASE 1.1 @set INSTALLDIR /usr/@value{LCPRODUCT} @set PREVINSTALLDIR @value{INSTALLDIR} @set ROOTDIR /usr/local diff --git a/doc/install.texinfo b/doc/install.texinfo index 8744b0f00..e1f6fa560 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -229,7 +229,10 @@ BOSTON.@value{SECONDREALM} and HOUSTON.@value{SECONDREALM}. @node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions @section Mapping Hostnames onto Kerberos Realms -Mapping hostnames onto Kerberos realms is done through a set of rules in +Mapping hostnames onto Kerberos realms is done in one of two ways. + +The first mechanism, which has been in use for years in MIT-based +Kerberos distributions, works through a set of rules in the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can specify mappings for an entire domain or subdomain, and/or on a hostname-by-hostname basis. Since greater specificity takes precedence, @@ -240,7 +243,35 @@ The @value{PRODUCT} System Administrator's Guide contains a thorough description of the parts of the @code{krb5.conf} file and what may be specified in each. A sample @code{krb5.conf} file appears in @ref{krb5.conf}. You should be able to use this file, substituting the -relevant information for your Kerberos instllation for the samples. +relevant information for your Kerberos installation for the samples. + +The second mechanism, recently introduced into the MIT code base but not +currently used by default, works by looking up the information in +special @code{TXT} records in the Domain Name Service. If this +mechanism is enabled on the client, it will try to look up a @code{TXT} +record for the DNS name formed by putting the prefix @code{_kerberos} in +front of the hostname in question. If that record is not found, it will +try using @code{_kerberos} and the host's domain name, then its parent +domain, and so forth. So for the hostname +BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be: + +@smallexample +_kerberos.boston.engineering.foobar.com +_kerberos.engineering.foobar.com +_kerberos.foobar.com +_kerberos.com +@end smallexample + +The value of the first TXT record found is taken as the realm name. +(Obviously, this doesn't work all that well if a host and a subdomain +have the same name, and different realms. For example, if all the hosts +in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM +realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in +another realm. In that case, you would set up TXT records for all +hosts, rather than relying on the fallback to the domain name.) + +Even if you do not choose to use this mechanism within your site, you +may wish to set up anyways, for use when interacting with other sites. @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions @section Ports for the KDC and Admin Services @@ -293,11 +324,86 @@ disasters. @section Hostnames for the Master and Slave KDCs @value{COMPANY} recommends that your KDCs have a predefined set of -CNAMEs, such as @code{@value{KDCSERVER}} for the master KDC and +CNAME records (DNS hostname aliases), such as @code{@value{KDCSERVER}} +for the master KDC and @code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. +A new mechanism for locating KDCs of a realm through DNS has been added +to the @value{COMPANY} @value{PRODUCT} distribution. A relatively new +record type called @code{SRV} has been added to DNS. Looked up by a +service name and a domain name, these records indicate the hostname and +port number to contact for that service, optionally with weighting and +prioritization. (See RFC 2782 if you want more information. You can +follow the example below for straightforward cases.) + +The use with Kerberos is fairly straightforward. The domain name used +in the SRV record name is the domain-style Kerberos realm name. (It is +possible to have Kerberos realm names that are not DNS-style names, but +we don't recommend it for Internet use, and our code does not support it +well.) Several different Kerberos-related service names are used: + +@table @code +@item _kerberos._udp +This is for contacting any KDC. This entry will be used the most often. +Normally you should list ports 88 and 750 on each of your KDCs. + +@item _kerberos-master._udp +This entry should refer to those KDCs, if any, that will immediately see +password changes to the Kerberos database. This entry is used only in +one case, when the user is logging in and the password appears to be +incorrect; the master KDC is then contacted, and the same password used +to try to decrypt the response, in case the user's password had recently +been changed and the first KDC contacted hadn't been updated. Only if +that fails is an ``incorrect password'' error given. + +If you have only one KDC, or for whatever reason there is no accessible +KDC that would get database changes faster than the others, you do not +need to define this entry. + +@item _kerberos-adm._tcp +This should list port 749 on your master KDC. Support for it is not +complete at this time, but it will eventually be used by the +@code{kadmin} program and related utilities. For now, you will also +need the @code{admin_server} entry in @code{krb5.conf}. + +@item _kpasswd._udp +This should list port 464 on your master KDC. It is used when a user +changes her password. + +@end table + +Be aware, however, that the DNS SRV specification requires that the +hostnames listed be the canonical names, not aliases. So, for example, +you might include the following records in your (BIND-style) zone file: + +@smallexample +$ORIGIN foobar.com. +_kerberos TXT "FOOBAR.COM" +kerberos CNAME daisy +kerberos-1 CNAME use-the-force-luke +kerberos-2 CNAME bunny-rabbit +_kerberos._udp SRV 0 0 88 daisy + SRV 0 0 88 use-the-force-luke + SRV 0 0 88 bunny-rabbit +_kerberos-master._udp SRV 0 0 88 daisy +_kerberos-adm._tcp SRV 0 0 749 daisy +_kpasswd._udp SRV 0 0 464 daisy +@end smallexample + +As with the DNS-based mechanism for determining the Kerberos realm of a +host, we recommend distributing the information this way for use by +other sites that may want to interact with yours using Kerberos, even if +you don't immediately make use of it within your own site. If you +anticipate installing a very large number of machines on which it will +be hard to update the Kerberos configuration files, you may wish to do +all of your Kerberos service lookups via DNS and not put the information +(except for @code{admin_server} as noted above) in future versions of +your @code{krb5.conf} files at all. Eventually, we hope to phase out +the listing of server hostnames in the client-side configuration files; +making preparations now will make the transition easier in the future. + @node Database Propagation, , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions @section Database Propagation @@ -421,7 +527,8 @@ encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the @code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the machine's boot sequence). The stash file, like the keytab file -(@xref{The Keytab File}) is a potential point-of-entry for a break-in, +(see @xref{The Keytab File}, for more information) is a potential +point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file @@ -560,8 +667,8 @@ instance ``root'', you would add the following line to the acl file: Next you need to add administrative principals to the Kerberos database. (You must add at least one now.) To do this, use @code{kadmin.local} @emph{on the master KDC}. The administrative principals you create -should be the ones you added to the ACL file (see @xref{Add -Administrators to the Acl File}). In the following example, the +should be the ones you added to the ACL file. (See @xref{Add +Administrators to the Acl File}.) In the following example, the administration principal @code{admin/admin} is created: @smallexample @@ -639,8 +746,8 @@ to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to have a stash file in order to do this. You can verify that they started properly by checking for their startup -messages in the logging locations you defined in @code{/etc/krb5.conf} -(see @xref{Edit the Configuration Files}). For example: +messages in the logging locations you defined in @code{/etc/krb5.conf}. +(See @xref{Edit the Configuration Files}.) For example: @smallexample @b{shell%} tail /var/log/krb5kdc.log @@ -909,7 +1016,7 @@ Once your KDCs are set up and running, you are ready to use @code{kadmin} to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in the ``Adding or Modifying Principals'' section of the @value{PRODUCT} System -Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs} for a +Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs}, for a brief description.) The keytab is generated by running @code{kadmin} and issuing the @code{ktadd} command. @@ -987,7 +1094,11 @@ Disable the cron job that propagates the database. @item Run your database propagation script manually, to ensure that the slaves all have the latest copy of the database. (@xref{Propagate the Database -to Each Slave KDC}.) +to Each Slave KDC}.) If there is a need to preserve per-principal +policy information from the database, you should do a ``kdb5_util dump +-ov'' in order to preserve that information and propogate that dump file +securely by some means to the slave so that its database has the correct +state of the per-principal policy information. @end enumerate On the @emph{new} master KDC: @@ -1007,6 +1118,7 @@ Database to Each Slave KDC}.) Switch the CNAMEs of the old and new master KDCs. (If you don't do this, you'll need to change the @code{krb5.conf} file on every client machine in your Kerberos realm.) + @end enumerate @node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5 @@ -1050,7 +1162,7 @@ counterparts @c @code{from} @code{su}, @code{passwd}, and @code{rdist}. -@node Client Machine Configuration Files, Mac OS X Configuration, Client Programs, Installing and Configuring UNIX Client Machines +@node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines @subsection Client Machine Configuration Files Each machine running Kerberos must have a @code{/etc/krb5.conf} file. @@ -1357,27 +1469,29 @@ should be readable only by root. If you already have an existing Kerberos database that you created with a prior release of Kerberos 5, you can upgrade it to work with the -current release with the @code{kdb5_util} command. The process for -upgrading a Master KDC involves the following steps (the lines beginning -with => indicate a continuation of the previous line): +current release with the @code{kdb5_util} command. It is only necessary +to perform this dump/undump procedure if you were running a krb5-1.0.x +KDC and are migrating to a krb5-1.1.x or newer KDC. The process for +upgrading a Master KDC involves the following steps: @enumerate -@item Stopping your current KDC and administration +@item Stop your current KDC and administration server processes, if any. -@item Dumping your existing Kerberos database to an ASCII file with +@item Dump your existing Kerberos database to an ASCII file with @code{kdb5_util}'s ``dump'' command: @smallexample @group -@b{shell%} kdb5_util -r @value{PRIMARYREALM} dump -@result{} @value{ROOTDIR}/var/krb5kdc/old-kdb-dump +@b{shell%} cd @value{ROOTDIR}/var/krb5kdc +@b{shell%} kdb5_util dump old-kdb-dump +@b{shell%} kdb5_util dump -ov old-kdb-dump.ov @b{shell%} @end group @end smallexample -@item Creating a new Master KDC installation (@xref{Install the Master +@item Create a new Master KDC installation (@xref{Install the Master KDC}). If you have a stash file for your current database, choose any new master password but then copy your existing stash file to the location specified by your kdc.conf; if you do not have a stash file for @@ -1388,17 +1502,64 @@ your current database, you must choose the same master password. @smallexample @group -@b{shell%} kdb5_util load @value{ROOTDIR}/var/krb5kdc/old-kdb-dump +@b{shell%} cd @value{ROOTDIR}/var/krb5kdc +@b{shell%} kdb5_util load old-kdb-dump +@b{shell%} kdb5_util load -update old-kdb-dump.ov @b{shell%} @end group @end smallexample @end enumerate +The ``dump -ov'' and ``load -update'' commands are necessary in order to +preserve per-principal policy information, since the default dump format +filters out that information. If you omit those steps, the loaded +database database will lose the policy information for each principal +that has a policy. + To update a Slave KDC, you must stop the old server processes on the Slave KDC, install the new server binaries, reload the most recent slave dump file, and re-start the server processes. +@menu +* Upgrading to Triple-DES Encryption Keys:: +@end menu + +@node Upgrading to Triple-DES Encryption Keys, , Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations +@section Upgrading to Triple-DES Encryption Keys + +Beginning with the 1.2 release from MIT, Kerberos includes a stronger +encryption algorithm called ``triple DES'' -- essentially, three +applications of the basic DES encryption algorithm, greatly increasing +the resistance to a brute-force search for the key by an attacker. This +algorithm is more secure, but encryption is much slower. We expect to +add other, faster encryption algorithms at some point in the future. + +Release 1.1 had some support for triple-DES service keys, but with +release 1.2 we have added support for user keys and session keys as +well. Release 1.0 had very little support for multiple cryptosystems, +and some of that software may not function properly in an environment +using triple-DES as well as plain DES. + +Because of the way the MIT Kerberos database is structured, the KDC will +assume that a service supports only those encryption types for which +keys are found in the database. Thus, if a service has only a +single-DES key in the database, the KDC will not issue tickets for that +service that use triple-DES session keys; it will instead issue only +single-DES session keys, even if other services are already capable of +using triple-DES. So if you make sure your application server software +is updated before adding a triple-DES key for the service, clients +should be able to talk to services at all times during the updating +process. + +Normally, the listed @code{supported_enctypes} in @code{kdc.conf} are +all used when a new key is generated. You can control this with +command-line flags to @code{kadmin} and @code{kadmin.local}. You may +want to exclude triple-DES by default until you have updated a lot of +your application servers, and then change the default to include +triple-DES. We recommend that you always include @code{des-cbc-crc} in +the default list. + @node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top @chapter Bug Reports for @value{PRODUCT} @@ -1422,8 +1583,8 @@ Here is an example @code{krb5.conf} file: [libdefaults] ticket_lifetime = 600 default_realm = @value{PRIMARYREALM} - default_tkt_enctypes = des-cbc-crc - default_tgs_enctypes = des-cbc-crc + default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc + default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] @value{PRIMARYREALM} = @{ @@ -1478,17 +1639,14 @@ Here's an example of a kdc.conf file: kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s - master_key_type = des-cbc-crc - supported_enctypes = des-cbc-crc:normal + master_key_type = des3-hmac-sha1 + supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal @} @end group @end smallexample -To add Kerberos V4 support, change the @code{supported_enctypes} line to: - -@smallexample - supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 -@end smallexample +To add Kerberos V4 support, add @code{des-cbc-crc:v4} to the +@code{supported_enctypes} line. @menu * Encryption Types and Salt Types:: @@ -1497,9 +1655,8 @@ To add Kerberos V4 support, change the @code{supported_enctypes} line to: @node Encryption Types and Salt Types, , kdc.conf, kdc.conf @appendixsubsec Encryption Types and Salt Types -Currently, @value{PRODUCT} supports only DES and triple-DES encryption; -however, triple-DES is currently supported only for service keys, not -for user keys or session keys. The encoding types include +Currently, @value{PRODUCT} supports only DES and triple-DES encryption. +The encoding types include @code{des-cbc-crc} and @code{des3-cbc-sha1}. The @dfn{salt} is additional information encoded within the key that tells what kind of key it is. The only salts that you will be likely to encounter are: @@ -1509,6 +1666,8 @@ key it is. The only salts that you will be likely to encounter are: your @value{PRODUCT} keys @item @dfn{v4}, which is necessary only for compatibility with a v4 KDC +or a v4 version of @code{kinit}, and then only with @code{des-cbc-crc} +encryption @item @dfn{afs}, which you will never need to generate, and which you will encounter only if you dump an AFS database into a Kerberos database diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo index e78d4e6ac..12572e5cb 100644 --- a/doc/krb425.texinfo +++ b/doc/krb425.texinfo @@ -140,6 +140,14 @@ This subsection allows the administrator to configure exceptions to the default_domain mapping rule. It contains V4 instances (tag name) which should be translated to some specific hostname (tag value) as the second component in a Kerberos V5 principal name. + +@itemx v4_realm +This relation allows the administrator to configure a different +realm name to be used when converting V5 principals to V4 +ones. This should only be used when running separate V4 and V5 +realms, with some external means of password sychronization +between the realms. + @end table @node kdc.conf, , krb5.conf, Configuration Files diff --git a/doc/send-pr.texinfo b/doc/send-pr.texinfo index 9209ffd56..7cf9b70ce 100644 --- a/doc/send-pr.texinfo +++ b/doc/send-pr.texinfo @@ -4,7 +4,11 @@ built and installed @value{PRODUCT}, please use the Bug reports that include proposed fixes are especially welcome. If you do include fixes, please send them using either context diffs or unified -diffs (using @samp{diff -c} or @samp{diff -u}, respectively). +diffs (using @samp{diff -c} or @samp{diff -u}, respectively). Please be +careful when using ``cut and paste'' or other such means to copy a patch +into a bug report; depending on the system being used, that can result +in converting TAB characters into spaces, which makes applying the +patches more difficult. The @code{krb5-send-pr} program is installed in the directory @code{@value{ROOTDIR}/sbin}. -- 2.26.2