The Kerberos Principal Database

Commands

There are several commands outside of the Kerberos API with a human interfacing into the Kerberos System. The following is a list of user or client commands:

• kinit : This command is used for logging in to the Kerberos System.

• kdestory : This command is used for logging out of the Kerberos System. It destroys the tickets in the user's cache.

• klist : This command displays the contents of the user's ticket cache.

• ksu : This command can change the current user to a root user, if the current user has root access.

• kpasswd : This command is used to change the current user's password.

The kinit command is used for logging in to the Kerberos server. An example for user "rich" to log into the host of security.richware.com is in Listing 16-1, which includes the password input.

Listing 16-1: The kinit command

 % kinit rich   Welcome to rich's security site  Kerberos Initialization for "rich"  Password: password 

 

After logging in to the Kerberos System, if the user desires to log out, he simply destroys the tickets in the cache by calling the kdestroy command. The klist command is used to display the contents of the user cache. An example of executing the kpasswd command is shown in Listing 16-2.

Listing 16-2: The kpasswd command

 % kpasswd   Old password for rich: Old Password  New password for rich: New Password  Verifying, please re-enter New Password for rich: New Password  Password changed. 

 

One of the services running as a daemon, or background service, is the kadmind . This service is accessible to the remote administrator for administration purposes of the Kerberos System. Some of the administration commands are as follows :

• kdb_init : This command creates the PD. It prompts the administrator for the master key that will be used to encrypt and decrypt fields from the PD, and the administrator will need it to access administration functionality.

• kdb_destroy : This command destroys the PD.

• kstash : This command relays the Kerberos master key to the KDC software.

• kdb_edit : This command gives the administrator the ability to add and modify principals to the PD.

• ext_srvtab : This command creates a srvtab on the target service for Kerberos.

• ksrvutil : This command is used to add keys to the srvtab .

• kdb_util : This command is a utility for administrating the PD. It has several sub-commands for accomplishing this task:

  • dump : This command dumps the DBM into an ASCII format.

  • load : This command can rebuild the database from an ASCII dump.

  • slave_dump : This command dumps the DBM into an ASCII format for use in all KDCs, including non-administration KDC.

  • new_master_key : This command encrypts all the principals with the master key.

• kadmin : This is the client program for the kadmind server to remotely administrate a specific principal in the database. This command has several subcommands for accomplishing this task:

  • cap : This command changes the administration password.

  • get : This command gets a specific principal's maximum ticket lifetime and expiration date.

  • cpw : This command changes a principal's password.

  • ank : This command adds a new principal to the database.

Configuration files

On UNIX systems, the tickets usually are stored in the temporary directory /tmp/ and the user's ticket directory that is appended with the user's ID /tmp/tkt${UID} . This can be overridden with the KRBTKFILE environment variable.

The /etc/services file defines the service ports that can be used with Kerberos. The Kerberos v4 uses port 750; other entries for v5, including tools and utilities can be seen in Listing 16-3.

Listing 16-3: Kerberos commands and tools

 kerberos      88/tcp   krb5 kerberos-sec    #Kerberos kerberos      88/udp   krb5 kerberos-sec    #Kerberos kpasswd       464/tcp                  # Kerberos (v5) kpasswd       464/udp                  # Kerberos (v5) klogin        543/tcp                  #Kerberos login kshell        544/tcp  krcmd           #Kerberos remote shell kerberos-adm  749/tcp                  #Kerberos administration kerberos-adm  749/udp                  #Kerberos administration kpop          1109/tcp                 #Kerberos POP knetd         2053/tcp                 #Kerberos de-multiplexor 

 

The krb.conf is the Kerberos configuration file and is usually located under /etc/athena to represent the athena configuration files. In v5, it is stored as /etc/krb5/krb5.conf , and in WinNT, it is stored as C:\WINNT\krb5.ini . In this file you find the realm name, the KDC, and administration server (identified in the above file on port 749). This Kerberos server is identified as the administration server by "admin server" in the configuration file. Other Kerberos servers may be identified in this configuration file; however, only one administrator server to be accessed by the kadmin command can be specified. An example of the file with the main realm, an administrator server, and a non-administration server are seen in the following:

 RICHWARE.COM RICHWARE.COM admin-kerberos.richware.edu admin server RICHWARE.COM Kerberos.richware.com 

For every target service that is employing Kerberos, there must be a srvtab . The srvtab file contains the server keys. This file may also be stored in /etc/athena/ server. The server keys are used for the target servers to share keys with the KDC. The administrator should ensure that only the root, or administrator, has access rights to these files or else attackers can modify the files for control of the Kerberos System. The server keys can also be viewed in the klist command by specifying the /etc/srvtab file, as seen in Listing 16-4.

Listing 16-4: The /etc/srvtab file

 rich# klist -file /etc/srvtab -srvtab Server key file: /etc/srvtab Service     Instance       Realm                    Key Version kpop         rich          RICHWARE.COM                      1 rcmd         rich          RICHWARE.COM                      1