1 UNIX Application Servers
2 ========================
4 An application server is a host that provides one or more services
5 over the network. Application servers can be "secure" or "insecure."
6 A "secure" host is set up to require authentication from every client
7 connecting to it. An "insecure" host will still provide Kerberos
8 authentication, but will also allow unauthenticated clients to
11 If you have Kerberos V5 installed on all of your client machines, MIT
12 recommends that you make your hosts secure, to take advantage of the
13 security that Kerberos authentication affords. However, if you have
14 some clients that do not have Kerberos V5 installed, you can run an
15 insecure server, and still take advantage of Kerberos V5's single
24 All Kerberos server machines need a keytab file to authenticate to the
25 KDC. By default on UNIX-like systems this file is named
26 ``/etc/krb5.keytab``. The keytab file is an encrypted, local, on-disk
27 copy of the host's key. The keytab file, like the stash file (see
28 :ref:`create_db`) is a potential point-of-entry for a break-in, and if
29 compromised, would allow unrestricted access to its host. The keytab
30 file should be readable only by root, and should exist only on the
31 machine's local disk. The file should not be part of any backup of
32 the machine, unless access to the backup data is secured as tightly as
33 access to the machine's root password itself.
35 In order to generate a keytab for a host, the host must have a
36 principal in the Kerberos database. The procedure for adding hosts to
37 the database is described fully in :ref:`add_mod_del_princs`. (See
38 :ref:`slave_host_key` for a brief description.) The keytab is
39 generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd`
42 For example, to generate a keytab file to allow the host
43 ``trillium.mit.edu`` to authenticate for the services host, ftp, and
44 pop, the administrator ``joeadmin`` would issue the command (on
45 ``trillium.mit.edu``)::
47 trillium% /usr/local/sbin/kadmin
48 kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu
49 kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
50 kvno 3, encryption type DES-CBC-CRC added to keytab
51 WRFILE:/etc/krb5.keytab.
52 kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
53 kvno 3, encryption type DES-CBC-CRC added to keytab
54 WRFILE:/etc/krb5.keytab.
55 kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
56 kvno 3, encryption type DES-CBC-CRC added to keytab
57 WRFILE:/etc/krb5.keytab.
61 If you generate the keytab file on another host, you need to get a
62 copy of the keytab file onto the destination host (``trillium``, in
63 the above example) without sending it unencrypted over the network.
66 Some advice about secure hosts
67 ------------------------------
69 Kerberos V5 can protect your host from certain types of break-ins, but
70 it is possible to install Kerberos V5 and still leave your host
71 vulnerable to attack. Obviously an installation guide is not the
72 place to try to include an exhaustive list of countermeasures for
73 every possible attack, but it is worth noting some of the larger holes
74 and how to close them.
76 We recommend that backups of secure machines exclude the keytab file
77 (``/etc/krb5.keytab``). If this is not possible, the backups should
78 at least be done locally, rather than over a network, and the backup
79 tapes should be physically secured.
81 The keytab file and any programs run by root, including the Kerberos
82 V5 binaries, should be kept on local disk. The keytab file should be
83 readable only by root.
projects / krb5.git / blob