What process is responsible for making changes to the Kerberos database?
4.
Why can the TGT be sent in clear text from the Kerberos client back to the KDC?
5.
Why is it recommended that the /var/db/krb5kdc principal file be secured?
6.
What is the name of the KDC's configuration file?
7.
What is the name of the configuration file of kadmind?
8.
What is SASL and how is it leveraged in Open Directory?
9.
What tool does Password Server use to keep the KDC in sync? What tool does the KDC use?
10.
Why might an administrator choose to disable some Password Server authentication methods?
Answers
1.
User (user@REALM), host (host/fqdn@REALM), and service (service/fqdn@REALM)
2.
The KDC process is krb5kdc.
3.
kadmin
4.
The TGT is already encrypted with a key known only to the KDC. The client may pass it around in the clear because it is useless without a session key, which is never passed over the wire unencrypted.
5.
It contains all of the user keys.
6.
kdc.conf
7.
kdc.conf
8.
The Simple Authentication and Security Layer (SASL) is a standard way of negotiating secure authentication- and transport-based protocols such as LDAP and IMAP. It is used by Password Server to provide legacy authentication protocols to Mac OS X Server services.
9.
kadmin.local and mkpassdb
10.
Some are more secure than others. Specifically, APOP requires that the user's password be stored in clear text.
