The v4 Principal Database (PD) is local data store used by the KDC that contains principal information in it. All target servers and users must be entered in the PD as principals. The following are the fields that each row includes:
The v4 of the Principal Database is normally implemented in DBM, which is a low-end database distributed with most UNIX systems. One of the limitations of using this database is that only 35,000 principals can be allocated. In v5, these fields are extended to include the client realm, the encryption type, and times of use.
CommandsThere are several commands outside of the Kerberos API with a human interfacing into the Kerberos System. The following is a list of user or client commands:
The kinit command is used for logging in to the Kerberos server. An example for user "rich" to log into the host of security.richware.com is in Listing 16-1, which includes the password input. Listing 16-1: The kinit command % kinit rich Welcome to rich's security site Kerberos Initialization for "rich" Password: password After logging in to the Kerberos System, if the user desires to log out, he simply destroys the tickets in the cache by calling the kdestroy command. The klist command is used to display the contents of the user cache. An example of executing the kpasswd command is shown in Listing 16-2. Listing 16-2: The kpasswd command % kpasswd Old password for rich: Old Password New password for rich: New Password Verifying, please re-enter New Password for rich: New Password Password changed. One of the services running as a daemon, or background service, is the kadmind . This service is accessible to the remote administrator for administration purposes of the Kerberos System. Some of the administration commands are as follows :
Configuration filesOn UNIX systems, the tickets usually are stored in the temporary directory /tmp/ and the user's ticket directory that is appended with the user's ID /tmp/tkt${UID} . This can be overridden with the KRBTKFILE environment variable. The /etc/services file defines the service ports that can be used with Kerberos. The Kerberos v4 uses port 750; other entries for v5, including tools and utilities can be seen in Listing 16-3. Listing 16-3: Kerberos commands and tools kerberos 88/tcp krb5 kerberos-sec #Kerberos kerberos 88/udp krb5 kerberos-sec #Kerberos kpasswd 464/tcp # Kerberos (v5) kpasswd 464/udp # Kerberos (v5) klogin 543/tcp #Kerberos login kshell 544/tcp krcmd #Kerberos remote shell kerberos-adm 749/tcp #Kerberos administration kerberos-adm 749/udp #Kerberos administration kpop 1109/tcp #Kerberos POP knetd 2053/tcp #Kerberos de-multiplexor The krb.conf is the Kerberos configuration file and is usually located under /etc/athena to represent the athena configuration files. In v5, it is stored as /etc/krb5/krb5.conf , and in WinNT, it is stored as C:\WINNT\krb5.ini . In this file you find the realm name, the KDC, and administration server (identified in the above file on port 749). This Kerberos server is identified as the administration server by "admin server" in the configuration file. Other Kerberos servers may be identified in this configuration file; however, only one administrator server to be accessed by the kadmin command can be specified. An example of the file with the main realm, an administrator server, and a non-administration server are seen in the following: RICHWARE.COM RICHWARE.COM admin-kerberos.richware.edu admin server RICHWARE.COM Kerberos.richware.com For every target service that is employing Kerberos, there must be a srvtab . The srvtab file contains the server keys. This file may also be stored in /etc/athena/ server. The server keys are used for the target servers to share keys with the KDC. The administrator should ensure that only the root, or administrator, has access rights to these files or else attackers can modify the files for control of the Kerberos System. The server keys can also be viewed in the klist command by specifying the /etc/srvtab file, as seen in Listing 16-4. Listing 16-4: The /etc/srvtab file rich# klist -file /etc/srvtab -srvtab Server key file: /etc/srvtab Service Instance Realm Key Version kpop rich RICHWARE.COM 1 rcmd rich RICHWARE.COM 1 Java Security Solutions ISBN: 0764549286
EAN: 2147483647 Year: 2001
Pages: 222 Authors: Rich Helton, Johennie Helton
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |