1456 lines
49 KiB
Plaintext
1456 lines
49 KiB
Plaintext
@c $Id: setup.texi 22191 2007-12-06 17:26:30Z lha $
|
|
|
|
@node Setting up a realm, Applications, Building and Installing, Top
|
|
|
|
@chapter Setting up a realm
|
|
|
|
A
|
|
@cindex realm
|
|
realm is an administrative domain. The name of a Kerberos realm is
|
|
usually the Internet domain name in uppercase. Call your realm the same
|
|
as your Internet domain name if you do not have strong reasons for not
|
|
doing so. It will make life easier for you and everyone else.
|
|
|
|
@menu
|
|
* Configuration file::
|
|
* Creating the database::
|
|
* Modifying the database::
|
|
* Checking the setup::
|
|
* keytabs::
|
|
* Serving Kerberos 4/524/kaserver::
|
|
* Remote administration::
|
|
* Password changing::
|
|
* Testing clients and servers::
|
|
* Slave Servers::
|
|
* Incremental propagation::
|
|
* Encryption types and salting::
|
|
* Cross realm::
|
|
* Transit policy::
|
|
* Setting up DNS::
|
|
* Using LDAP to store the database::
|
|
* Providing Kerberos credentials to servers and programs::
|
|
* Setting up PK-INIT::
|
|
@end menu
|
|
|
|
@node Configuration file, Creating the database, Setting up a realm, Setting up a realm
|
|
@section Configuration file
|
|
|
|
To setup a realm you will first have to create a configuration file:
|
|
@file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
|
|
configuration options, some of which are described here.
|
|
|
|
There is a sample @file{krb5.conf} supplied with the distribution.
|
|
|
|
The configuration file is a hierarchical structure consisting of
|
|
sections, each containing a list of bindings (either variable
|
|
assignments or subsections). A section starts with
|
|
@samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
|
|
(@samp{=}) and a right hand side (the left hand side tag must be
|
|
separated from the equal sign with some whitespace). Subsections have a
|
|
@samp{@{} as the first non-whitespace character after the equal sign. All
|
|
other bindings are treated as variable assignments. The value of a
|
|
variable extends to the end of the line.
|
|
|
|
@example
|
|
[section1]
|
|
a-subsection = @{
|
|
var = value1
|
|
other-var = value with @{@}
|
|
sub-sub-section = @{
|
|
var = 123
|
|
@}
|
|
@}
|
|
var = some other value
|
|
[section2]
|
|
var = yet another value
|
|
@end example
|
|
|
|
In this manual, names of sections and bindings will be given as strings
|
|
separated by slashes (@samp{/}). The @samp{other-var} variable will thus
|
|
be @samp{section1/a-subsection/other-var}.
|
|
|
|
For in-depth information about the contents of the configuration file, refer to
|
|
the @file{krb5.conf} manual page. Some of the more important sections
|
|
are briefly described here.
|
|
|
|
The @samp{libdefaults} section contains a list of library configuration
|
|
parameters, such as the default realm and the timeout for KDC
|
|
responses. The @samp{realms} section contains information about specific
|
|
realms, such as where they hide their KDC@. This section serves the same
|
|
purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
|
|
information. Finally the @samp{domain_realm} section contains a list of
|
|
mappings from domains to realms, equivalent to the Kerberos 4
|
|
@file{krb.realms} file.
|
|
|
|
To continue with the realm setup, you will have to create a configuration file,
|
|
with contents similar to the following.
|
|
|
|
@example
|
|
[libdefaults]
|
|
default_realm = MY.REALM
|
|
[realms]
|
|
MY.REALM = @{
|
|
kdc = my.kdc my.slave.kdc
|
|
kdc = my.third.kdc
|
|
@}
|
|
[domain_realm]
|
|
.my.domain = MY.REALM
|
|
|
|
@end example
|
|
|
|
If you use a realm name equal to your domain name, you can omit the
|
|
@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
|
|
SRV-record for your realm, or your Kerberos server has DNS CNAME
|
|
@samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
|
|
|
|
@node Creating the database, Modifying the database, Configuration file, Setting up a realm
|
|
@section Creating the database
|
|
|
|
The database library will look for the database in the directory
|
|
@file{@value{dbdir}}, so you should probably create that directory.
|
|
Make sure the directory has restrictive permissions.
|
|
|
|
@example
|
|
# mkdir /var/heimdal
|
|
@end example
|
|
|
|
The keys of all the principals are stored in the database. If you
|
|
choose to, these can be encrypted with a master key. You do not have to
|
|
remember this key (or password), but just to enter it once and it will
|
|
be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
|
|
master key, run @samp{kstash} to create this master key:
|
|
|
|
@example
|
|
# kstash
|
|
Master key:
|
|
Verifying password - Master key:
|
|
@end example
|
|
|
|
If you want to generate a random master key you can use the
|
|
@kbd{--random-key} flag to kstash. This will make sure you have a good key
|
|
on which attackers can't do a dictionary attack.
|
|
|
|
If you have a master key, make sure you make a backup of your master
|
|
key file; without it backups of the database are of no use.
|
|
|
|
To initialise the database use the @command{kadmin} program, with the
|
|
@kbd{-l} option (to enable local database mode). First issue a
|
|
@kbd{init MY.REALM} command. This will create the database and insert
|
|
default principals for that realm. You can have more than one realm in
|
|
one database, so @samp{init} does not destroy any old database.
|
|
|
|
Before creating the database, @samp{init} will ask you some questions
|
|
about maximum ticket lifetimes.
|
|
|
|
After creating the database you should probably add yourself to it. You
|
|
do this with the @samp{add} command. It takes as argument the name of a
|
|
principal. The principal should contain a realm, so if you haven't set up
|
|
a default realm, you will need to explicitly include the realm.
|
|
|
|
@example
|
|
# kadmin -l
|
|
kadmin> init MY.REALM
|
|
Realm max ticket life [unlimited]:
|
|
Realm max renewable ticket life [unlimited]:
|
|
kadmin> add me
|
|
Max ticket life [unlimited]:
|
|
Max renewable life [unlimited]:
|
|
Attributes []:
|
|
Password:
|
|
Verifying password - Password:
|
|
@end example
|
|
|
|
Now start the KDC and try getting a ticket.
|
|
|
|
@example
|
|
# kdc &
|
|
# kinit me
|
|
me@@MY.REALMS's Password:
|
|
# klist
|
|
Credentials cache: /tmp/krb5cc_0
|
|
Principal: me@@MY.REALM
|
|
|
|
Issued Expires Principal
|
|
Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
|
|
@end example
|
|
|
|
If you are curious you can use the @samp{dump} command to list all the
|
|
entries in the database. It should look something similar to the
|
|
following example (note that the entries here are truncated for
|
|
typographical reasons):
|
|
|
|
@smallexample
|
|
kadmin> dump
|
|
me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
|
|
kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
|
|
krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
|
|
kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
|
|
@end smallexample
|
|
|
|
@node Modifying the database, Checking the setup, Creating the database, Setting up a realm
|
|
@section Modifying the database
|
|
|
|
All modifications of principals are done with with kadmin.
|
|
|
|
A principal has several attributes and lifetimes associated with it.
|
|
|
|
Principals are added, renamed, modified, and deleted with the kadmin
|
|
commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
|
|
Both interactive editing and command line flags can be used (use --help
|
|
to list the available options).
|
|
|
|
There are different kinds of types for the fields in the database;
|
|
attributes, absolute time times and relative times.
|
|
|
|
@subsection Attributes
|
|
|
|
When doing interactive editing, attributes are listed with @samp{?}.
|
|
|
|
The attributes are given in a comma (@samp{,}) separated list.
|
|
Attributes are removed from the list by prefixing them with @samp{-}.
|
|
|
|
@smallexample
|
|
kadmin> modify me
|
|
Max ticket life [1 day]:
|
|
Max renewable life [1 week]:
|
|
Principal expiration time [never]:
|
|
Password expiration time [never]:
|
|
Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
|
|
kadmin> get me
|
|
Principal: me@@MY.REALM
|
|
[...]
|
|
Attributes: requires-pre-auth
|
|
@end smallexample
|
|
|
|
@subsection Absolute times
|
|
|
|
The format for absolute times are any of the following:
|
|
|
|
@smallexample
|
|
never
|
|
now
|
|
YYYY-mm-dd
|
|
YYYY-mm-dd HH:MM:SS
|
|
@end smallexample
|
|
|
|
|
|
@subsection Relative times
|
|
|
|
The format for relative times are any of the following combined:
|
|
|
|
@smallexample
|
|
N year
|
|
M month
|
|
O day
|
|
P hour
|
|
Q minute
|
|
R second
|
|
@end smallexample
|
|
|
|
@c Describe more of kadmin commands here...
|
|
|
|
@node Checking the setup, keytabs, Modifying the database, Setting up a realm
|
|
@section Checking the setup
|
|
|
|
There are two tools that can check the consistency of the Kerberos
|
|
configuration file and the Kerberos database.
|
|
|
|
The Kerberos configuration file is checked using
|
|
@command{verify_krb5_conf}. The tool checks for common errors, but
|
|
commonly there are several uncommon configuration entries that are
|
|
never added to the tool and thus generates ``unknown entry'' warnings.
|
|
This is usually nothing to worry about.
|
|
|
|
The database check is built into the kadmin tool. It will check for
|
|
common configuration error that will cause problems later. Common
|
|
check are for existence and flags on important principals. The
|
|
database check by run by the following command :
|
|
|
|
@example
|
|
kadmin check REALM.EXAMPLE.ORG
|
|
@end example
|
|
|
|
@node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm
|
|
@section keytabs
|
|
|
|
To extract a service ticket from the database and put it in a keytab, you
|
|
need to first create the principal in the database with @samp{ank}
|
|
(using the @kbd{--random-key} flag to get a random key) and then
|
|
extract it with @samp{ext_keytab}.
|
|
|
|
@example
|
|
kadmin> add --random-key host/my.host.name
|
|
Max ticket life [unlimited]:
|
|
Max renewable life [unlimited]:
|
|
Attributes []:
|
|
kadmin> ext host/my.host.name
|
|
kadmin> exit
|
|
# ktutil list
|
|
Version Type Principal
|
|
1 des-cbc-md5 host/my.host.name@@MY.REALM
|
|
1 des-cbc-md4 host/my.host.name@@MY.REALM
|
|
1 des-cbc-crc host/my.host.name@@MY.REALM
|
|
1 des3-cbc-sha1 host/my.host.name@@MY.REALM
|
|
@end example
|
|
|
|
@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm
|
|
@section Serving Kerberos 4/524/kaserver
|
|
|
|
Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
|
|
these services are turned off by default. Kerberos 4 is always
|
|
supported by the KDC, but the Kerberos 4 client support also depends
|
|
on Kerberos 4 support having been included at compile-time, using
|
|
@kbd{--with-krb4=dir}.
|
|
|
|
@subsection 524
|
|
|
|
524 is a service that allows the KDC to convert Kerberos 5 tickets to
|
|
Kerberos 4 tickets for backward compatibility. See also Using 2b
|
|
tokens with AFS in @xref{Things in search for a better place}.
|
|
|
|
524 can be turned on by adding this to the configuration file
|
|
|
|
@example
|
|
[kdc]
|
|
enable-524 = yes
|
|
@end example
|
|
|
|
@subsection Kerberos 4
|
|
|
|
Kerberos 4 is the predecessor to to Kerberos 5. It only supports
|
|
single DES@. You should only enable Kerberos 4 support if you have
|
|
needs for compatibility with an installed base of Kerberos 4
|
|
clients/servers.
|
|
|
|
Kerberos 4 can be turned on by adding this to the configuration file
|
|
|
|
@example
|
|
[kdc]
|
|
enable-kerberos4 = yes
|
|
@end example
|
|
|
|
@subsection kaserver
|
|
|
|
Kaserver is a Kerberos 4 that is used in AFS@. The protocol has some
|
|
extra features over plain Kerberos 4, but like Kerberos 4, only uses
|
|
single DES@.
|
|
|
|
You should only enable Kaserver support if you have needs for
|
|
compatibility with an installed base of AFS machines.
|
|
|
|
Kaserver can be turned on by adding this to the configuration file
|
|
|
|
@example
|
|
[kdc]
|
|
enable-kaserver = yes
|
|
@end example
|
|
|
|
@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
|
|
@section Remote administration
|
|
|
|
The administration server, @command{kadmind}, can be started by
|
|
@command{inetd} (which isn't recommended) or run as a normal daemon. If you
|
|
want to start it from @command{inetd} you should add a line similar to the
|
|
one below to your @file{/etc/inetd.conf}.
|
|
|
|
@example
|
|
kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
|
|
@end example
|
|
|
|
You might need to add @samp{kerberos-adm} to your @file{/etc/services}
|
|
as @samp{749/tcp}.
|
|
|
|
Access to the administration server is controlled by an ACL file,
|
|
(default @file{/var/heimdal/kadmind.acl}.) The file has the following
|
|
syntax:
|
|
@smallexample
|
|
principal [priv1,priv2,...] [glob-pattern]
|
|
@end smallexample
|
|
|
|
The matching is from top to bottom for matching principals (and if given,
|
|
glob-pattern). When there is a match, the access rights of that line are
|
|
applied.
|
|
|
|
The privileges you can assign to a principal are: @samp{add},
|
|
@samp{change-password} (or @samp{cpw} for short), @samp{delete},
|
|
@samp{get}, @samp{list}, and @samp{modify}, or the special privilege
|
|
@samp{all}. All of these roughly correspond to the different commands
|
|
in @command{kadmin}.
|
|
|
|
If a @var{glob-pattern} is given on a line, it restricts the access
|
|
rights for the principal to only apply for subjects that match the
|
|
pattern. The patterns are of the same type as those used in shell
|
|
globbing, see @url{none,,fnmatch(3)}.
|
|
|
|
In the example below @samp{lha/admin} can change every principal in the
|
|
database. @samp{jimmy/admin} can only modify principals that belong to
|
|
the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
|
|
help desk, so he should only be able to change the passwords for single
|
|
component principals (ordinary users). He will not be able to change any
|
|
@samp{/admin} principal.
|
|
|
|
@example
|
|
lha/admin@@E.KTH.SE all
|
|
jimmy/admin@@E.KTH.SE all *@@E.KTH.SE
|
|
jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE
|
|
mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
|
|
@end example
|
|
|
|
@node Password changing, Testing clients and servers, Remote administration, Setting up a realm
|
|
@section Password changing
|
|
|
|
To allow users to change their passwords, you should run @command{kpasswdd}.
|
|
It is not run from @command{inetd}.
|
|
|
|
You might need to add @samp{kpasswd} to your @file{/etc/services} as
|
|
@samp{464/udp}.
|
|
|
|
@subsection Password quality assurance
|
|
|
|
It is important that users have good passwords, both to make it harder
|
|
to guess them and to avoid off-line attacks (although
|
|
pre-authentication provides some defence against off-line attacks).
|
|
To ensure that the users choose good passwords, you can enable
|
|
password quality controls in @command{kpasswdd} and @command{kadmind}.
|
|
The controls themselves are done in a shared library or an external
|
|
program that is used by @command{kpasswdd}. To configure in these
|
|
controls, add lines similar to the following to your
|
|
@file{/etc/krb5.conf}:
|
|
|
|
@example
|
|
[password_quality]
|
|
policies = external-check builtin:minimum-length module:policyname
|
|
external_program = /bin/false
|
|
policy_libraries = @var{library1.so} @var{library2.so}
|
|
@end example
|
|
|
|
In @samp{[password_quality]policies} the module name is optional if
|
|
the policy name is unique in all modules (members of
|
|
@samp{policy_libraries}).
|
|
|
|
The built-in polices are
|
|
|
|
@itemize @bullet
|
|
|
|
@item external-check
|
|
|
|
Executes the program specified by @samp{[password_quality]external_program}.
|
|
|
|
A number of key/value pairs are passed as input to the program, one per
|
|
line, ending with the string @samp{end}. The key/value lines are of
|
|
the form
|
|
@example
|
|
principal: @var{principal}
|
|
new-password: @var{password}
|
|
@end example
|
|
where @var{password} is the password to check for the previous
|
|
@var{principal}.
|
|
|
|
If the external application approves the password, it should return
|
|
@samp{APPROVED} on standard out and exit with exit code 0. If it
|
|
doesn't approve the password, an one line error message explaining the
|
|
problem should be returned on standard error and the application
|
|
should exit with exit code 0. In case of a fatal error, the
|
|
application should, if possible, print an error message on standard
|
|
error and exit with a non-zero error code.
|
|
|
|
@item minimum-length
|
|
|
|
The minimum length password quality check reads the configuration file
|
|
stanza @samp{[password_quality]min_length} and requires the password
|
|
to be at least this length.
|
|
|
|
@item character-class
|
|
|
|
The character-class password quality check reads the configuration
|
|
file stanza @samp{[password_quality]min_classes}. The policy requires
|
|
the password to have characters from at least that many character
|
|
classes. Default value if not given is 3.
|
|
|
|
The four different characters classes are, uppercase, lowercase,
|
|
number, special characters.
|
|
|
|
@end itemize
|
|
|
|
If you want to write your own shared object to check password
|
|
policies, see the manual page @manpage{kadm5_pwcheck,3}.
|
|
|
|
Code for a password quality checking function that uses the cracklib
|
|
library can be found in @file{lib/kadm5/sample_password_check.c} in
|
|
the source code distribution. It requires that the cracklib library
|
|
be built with the patch available at
|
|
@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
|
|
|
|
A sample policy external program is included in
|
|
@file{lib/kadm5/check-cracklib.pl}.
|
|
|
|
If no password quality checking function is configured, the only check
|
|
performed is that the password is at least six characters long.
|
|
|
|
To check the password policy settings, use the command
|
|
@command{password-quality} in @command{kadmin} program. The password
|
|
verification is only performed locally, on the client. It may be
|
|
convenient to set the environment variable @samp{KRB5_CONFIG} to point
|
|
to a test version of @file{krb5.conf} while you're testing the
|
|
@samp{[password_quality]} stanza that way.
|
|
|
|
@node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
|
|
@section Testing clients and servers
|
|
|
|
Now you should be able to run all the clients and servers. Refer to the
|
|
appropriate man pages for information on how to use them.
|
|
|
|
@node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
|
|
@section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
|
|
|
|
It is desirable to have at least one backup (slave) server in case the
|
|
master server fails. It is possible to have any number of such slave
|
|
servers but more than three usually doesn't buy much more redundancy.
|
|
|
|
All Kerberos servers for a realm must have the same database so that
|
|
they present the same service to the users. The
|
|
@pindex hprop
|
|
@command{hprop} program, running on the master, will propagate the database
|
|
to the slaves, running
|
|
@pindex hpropd
|
|
@command{hpropd} processes.
|
|
|
|
Every slave needs a database directory, the master key (if it was used
|
|
for the database) and a keytab with the principal
|
|
@samp{hprop/@var{hostname}}. Add the principal with the
|
|
@pindex ktutil
|
|
@command{ktutil} command and start
|
|
@pindex hpropd
|
|
@command{hpropd}, as follows:
|
|
|
|
@example
|
|
slave# ktutil get -p foo/admin hprop/`hostname`
|
|
slave# mkdir /var/heimdal
|
|
slave# hpropd
|
|
@end example
|
|
|
|
The master will use the principal @samp{kadmin/hprop} to authenticate to
|
|
the slaves. This principal should be added when running @kbd{kadmin -l
|
|
init} but if you do not have it in your database for whatever reason,
|
|
please add it with @kbd{kadmin -l add}.
|
|
|
|
Then run
|
|
@pindex hprop
|
|
@code{hprop} on the master:
|
|
|
|
@example
|
|
master# hprop slave
|
|
@end example
|
|
|
|
This was just an hands-on example to make sure that everything was
|
|
working properly. Doing it manually is of course the wrong way, and to
|
|
automate this you will want to start
|
|
@pindex hpropd
|
|
@command{hpropd} from @command{inetd} on the slave(s) and regularly run
|
|
@pindex hprop
|
|
@command{hprop} on the master to regularly propagate the database.
|
|
Starting the propagation once an hour from @command{cron} is probably a
|
|
good idea.
|
|
|
|
@node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
|
|
@section Incremental propagation
|
|
|
|
There is also a newer, and still somewhat experimental, mechanism for
|
|
doing incremental propagation in Heimdal. Instead of sending the whole
|
|
database regularly, it sends the changes as they happen on the master to
|
|
the slaves. The master keeps track of all the changes by assigning a
|
|
version number to every change to the database. The slaves know which
|
|
was the latest version they saw and in this way it can be determined if
|
|
they are in sync or not. A log of all the changes is kept on the master,
|
|
and when a slave is at an older version than the oldest one in the
|
|
log, the whole database has to be sent.
|
|
|
|
Protocol-wise, all the slaves connect to the master and as a greeting
|
|
tell it the latest version that they have (@samp{IHAVE} message). The
|
|
master then responds by sending all the changes between that version and
|
|
the current version at the master (a series of @samp{FORYOU} messages)
|
|
or the whole database in a @samp{TELLYOUEVERYTHING} message. There is
|
|
also a keep-alive protocol that makes sure all slaves are up and running.
|
|
|
|
@subsection Configuring incremental propagation
|
|
|
|
The program that runs on the master is @command{ipropd-master} and all
|
|
clients run @command{ipropd-slave}.
|
|
|
|
Create the file @file{/var/heimdal/slaves} on the master containing all
|
|
the slaves that the database should be propagated to. Each line contains
|
|
the full name of the principal (for example
|
|
@samp{iprop/hemligare.foo.se@@FOO.SE}).
|
|
|
|
You should already have @samp{iprop/tcp} defined as 2121, in your
|
|
@file{/etc/services}. Otherwise, or if you need to use a different port
|
|
for some peculiar reason, you can use the @kbd{--port} option. This is
|
|
useful when you have multiple realms to distribute from one server.
|
|
|
|
Then you need to create those principals that you added in the
|
|
configuration file. Create one @samp{iprop/hostname} for the master and
|
|
for every slave.
|
|
|
|
|
|
@example
|
|
master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
|
|
@end example
|
|
|
|
The next step is to start the @command{ipropd-master} process on the master
|
|
server. The @command{ipropd-master} listens on the UNIX domain socket
|
|
@file{/var/heimdal/signal} to know when changes have been made to the
|
|
database so they can be propagated to the slaves. There is also a
|
|
safety feature of testing the version number regularly (every 30
|
|
seconds) to see if it has been modified by some means that do not raise
|
|
this signal. Then, start @command{ipropd-slave} on all the slaves:
|
|
|
|
@example
|
|
master# /usr/heimdal/libexec/ipropd-master &
|
|
slave# /usr/heimdal/libexec/ipropd-slave master &
|
|
@end example
|
|
|
|
To manage the iprop log file you should use the @command{iprop-log}
|
|
command. With it you can dump, truncate and replay the logfile.
|
|
|
|
@node Encryption types and salting, Cross realm, Incremental propagation, Setting up a realm
|
|
@section Encryption types and salting
|
|
@cindex Salting
|
|
@cindex Encryption types
|
|
|
|
The encryption types that the KDC is going to assign by default is
|
|
possible to change. Since the keys used for user authentication is
|
|
salted the encryption types are described together with the salt
|
|
strings.
|
|
|
|
Salting is used to make it harder to pre-calculate all possible
|
|
keys. Using a salt increases the search space to make it almost
|
|
impossible to pre-calculate all keys. Salting is the process of mixing a
|
|
public string (the salt) with the password, then sending it through an
|
|
encryption type specific string-to-key function that will output the
|
|
fixed size encryption key.
|
|
|
|
In Kerberos 5 the salt is determined by the encryption type, except in
|
|
some special cases.
|
|
|
|
In @code{des} there is the Kerberos 4 salt
|
|
(none at all) or the afs-salt (using the cell (realm in
|
|
AFS lingo)).
|
|
|
|
In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
|
|
there is no salt. This is to be compatible with NTLM keys in Windows
|
|
NT 4.
|
|
|
|
@code{[kadmin]default_keys} in @file{krb5.conf} controls
|
|
what salting to use.
|
|
|
|
The syntax of @code{[kadmin]default_keys} is
|
|
@samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
|
|
type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
|
|
@code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
|
|
salt-string is the string that will be used as salt (remember that if
|
|
the salt is appended/prepended, the empty salt "" is the same thing as
|
|
no salt at all).
|
|
|
|
Common types of salting include
|
|
|
|
@itemize @bullet
|
|
@item @code{v4} (or @code{des:pw-salt:})
|
|
|
|
The Kerberos 4 salting is using no salt at all. Reason there is colon
|
|
at the end of the salt string is that it makes the salt the empty
|
|
string (same as no salt).
|
|
|
|
@item @code{v5} (or @code{pw-salt})
|
|
|
|
@code{pw-salt} uses the default salt for each encryption type is
|
|
specified for. If the encryption type @samp{etype} isn't given, all
|
|
default encryption will be used.
|
|
|
|
@item @code{afs3-salt}
|
|
|
|
@code{afs3-salt} is the salt that is used with Transarc kaserver. It's
|
|
the cell name appended to the password.
|
|
|
|
@end itemize
|
|
|
|
@node Cross realm, Transit policy, Encryption types and salting, Setting up a realm
|
|
@section Cross realm
|
|
@cindex Cross realm
|
|
|
|
Suppose you reside in the realm @samp{MY.REALM}, how do you
|
|
authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
|
|
@samp{MY.REALM} allows you to communicate with Kerberised services in that
|
|
realm. However, the computer in the other realm does not have a secret
|
|
key shared with the Kerberos server in your realm.
|
|
|
|
It is possible to share keys between two realms that trust each
|
|
other. When a client program, such as @command{telnet} or @command{ssh},
|
|
finds that the other computer is in a different realm, it will try to
|
|
get a ticket granting ticket for that other realm, but from the local
|
|
Kerberos server. With that ticket granting ticket, it will then obtain
|
|
service tickets from the Kerberos server in the other realm.
|
|
|
|
For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM}
|
|
add the following principals to each realm. The principals should be
|
|
@samp{krbtgt/OTHER.REALM@@MY.REALM} and
|
|
@samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and
|
|
@samp{krbtgt/MY.REALM@@OTHER.REALM} and
|
|
@samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
|
|
|
|
In Kerberos 5 the trust can be configured to be one way. So that
|
|
users from @samp{MY.REALM} can authenticate to services in
|
|
@samp{OTHER.REALM}, but not the opposite. In the example above, the
|
|
@samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
|
|
|
|
The two principals must have the same key, key version number, and the
|
|
same set of encryption types. Remember to transfer the two keys in a
|
|
safe manner.
|
|
|
|
@example
|
|
vr$ klist
|
|
Credentials cache: FILE:/tmp/krb5cc_913.console
|
|
Principal: lha@@E.KTH.SE
|
|
|
|
Issued Expires Principal
|
|
May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
|
|
|
|
vr$ telnet -l lha hummel.it.su.se
|
|
Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
|
|
Connected to hummel.it.su.se.
|
|
Escape character is '^]'.
|
|
Waiting for encryption to be negotiated...
|
|
[ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ]
|
|
[ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ]
|
|
Encryption negotiated.
|
|
Last login: Sat May 3 14:11:47 from vr.l.nxs.se
|
|
hummel$ exit
|
|
|
|
vr$ klist
|
|
Credentials cache: FILE:/tmp/krb5cc_913.console
|
|
Principal: lha@@E.KTH.SE
|
|
|
|
Issued Expires Principal
|
|
May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
|
|
May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE
|
|
May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE
|
|
|
|
@end example
|
|
|
|
@node Transit policy, Setting up DNS, Cross realm, Setting up a realm
|
|
@section Transit policy
|
|
@cindex Transit policy
|
|
|
|
If you want to use cross realm authentication through an intermediate
|
|
realm, it must be explicitly allowed by either the KDCs or the server
|
|
receiving the request. This is done in @file{krb5.conf} in the
|
|
@code{[capaths]} section.
|
|
|
|
When the ticket transits through a realm to another realm, the
|
|
destination realm adds its peer to the "transited-realms" field in the
|
|
ticket. The field is unordered, since there is no way to know if
|
|
know if one of the transited-realms changed the order of the list.
|
|
|
|
The syntax for @code{[capaths]} section:
|
|
|
|
@example
|
|
[capaths]
|
|
CLIENT-REALM = @{
|
|
SERVER-REALM = PERMITTED-CROSS-REALMS ...
|
|
@}
|
|
@end example
|
|
|
|
The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and
|
|
@code{DSV.SU.SE} to cross it. Since @code{STACKEN.KTH.SE} only has
|
|
direct cross realm setup with @code{KTH.SE}, and @code{DSV.SU.SE} only
|
|
has direct cross realm setup with @code{SU.SE} they need to use both
|
|
@code{SU.SE} and @code{KTH.SE} as transit realms.
|
|
|
|
@example
|
|
[capaths]
|
|
SU.SE = @{
|
|
STACKEN.KTH.SE = KTH.SE
|
|
@}
|
|
DSV.SU.SE = @{
|
|
STACKEN.KTH.SE = SU.SE KTH.SE
|
|
@}
|
|
|
|
@end example
|
|
|
|
The order of the @code{PERMITTED-CROSS-REALMS} is not important when
|
|
doing transit cross realm verification.
|
|
|
|
However, the order is important when the @code{[capaths]} section is used
|
|
to figure out the intermediate realm to go to when doing multi-realm
|
|
transit. When figuring out the next realm, the first realm of the list
|
|
of @code{PERMITTED-CROSS-REALMS} is chosen. This is done in both the
|
|
client kerberos library and the KDC.
|
|
|
|
@c To test the cross realm configuration, use:
|
|
@c kmumble transit-check client server transit-realms ...
|
|
|
|
@node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
|
|
@section Setting up DNS
|
|
@cindex Setting up DNS
|
|
|
|
@subsection Using DNS to find KDC
|
|
|
|
If there is information about where to find the KDC or kadmind for a
|
|
realm in the @file{krb5.conf} for a realm, that information will be
|
|
preferred, and DNS will not be queried.
|
|
|
|
Heimdal will try to use DNS to find the KDCs for a realm. First it
|
|
will try to find a @code{SRV} resource record (RR) for the realm. If no
|
|
SRV RRs are found, it will fall back to looking for an @code{A} RR for
|
|
a machine named kerberos.REALM, and then kerberos-1.REALM, etc
|
|
|
|
Adding this information to DNS minimises the client configuration (in
|
|
the common case, resulting in no configuration needed) and allows the
|
|
system administrator to change the number of KDCs and on what machines
|
|
they are running without caring about clients.
|
|
|
|
The downside of using DNS is that the client might be fooled to use the
|
|
wrong server if someone fakes DNS replies/data, but storing the IP
|
|
addresses of the KDC on all the clients makes it very hard to change
|
|
the infrastructure.
|
|
|
|
An example of the configuration for the realm @code{EXAMPLE.COM}:
|
|
|
|
@example
|
|
|
|
$ORIGIN example.com.
|
|
_kerberos._tcp SRV 10 1 88 kerberos.example.com.
|
|
_kerberos._udp SRV 10 1 88 kerberos.example.com.
|
|
_kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
|
|
_kerberos._udp SRV 10 1 88 kerberos-1.example.com.
|
|
_kpasswd._udp SRV 10 1 464 kerberos.example.com.
|
|
_kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
|
|
|
|
@end example
|
|
|
|
More information about DNS SRV resource records can be found in
|
|
RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
|
|
|
|
@subsection Using DNS to map hostname to Kerberos realm
|
|
|
|
Heimdal also supports a way to lookup a realm from a hostname. This to
|
|
minimise configuration needed on clients. Using this has the drawback
|
|
that clients can be redirected by an attacker to realms within the
|
|
same cross realm trust and made to believe they are talking to the
|
|
right server (since Kerberos authentication will succeed).
|
|
|
|
An example configuration that informs clients that for the realms
|
|
it.example.com and srv.example.com, they should use the realm
|
|
EXAMPLE.COM:
|
|
|
|
@example
|
|
|
|
$ORIGIN example.com.
|
|
_kerberos.it TXT "EXAMPLE.COM"
|
|
_kerberos.srv TXT "EXAMPLE.COM"
|
|
|
|
@end example
|
|
|
|
@node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
|
|
@section Using LDAP to store the database
|
|
@cindex Using the LDAP backend
|
|
|
|
This document describes how to install the LDAP backend for
|
|
Heimdal. Note that before attempting to configure such an
|
|
installation, you should be aware of the implications of storing
|
|
private information (such as users' keys) in a directory service
|
|
primarily designed for public information. Nonetheless, with a
|
|
suitable authorisation policy, it is possible to set this up in a
|
|
secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
|
|
install this backend. The HDB schema was devised by Leif Johansson.
|
|
|
|
Requirements:
|
|
|
|
@itemize @bullet
|
|
|
|
@item
|
|
A current release of Heimdal, configured with
|
|
@code{--with-openldap=/usr/local} (adjust according to where you have
|
|
installed OpenLDAP).
|
|
|
|
You can verify that you manage to configure LDAP support by running
|
|
@file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
|
|
in the list.
|
|
|
|
Its also possible to configure the ldap backend as a shared module,
|
|
see option --hdb-openldap-module to configure.
|
|
|
|
@item
|
|
OpenLDAP 2.0.x. Configure OpenLDAP with @kbd{--enable-local} to enable the
|
|
local transport. (A patch to support SASL EXTERNAL authentication is
|
|
necessary in order to use OpenLDAP 2.1.x.)
|
|
|
|
@item
|
|
Add the hdb schema to the LDAP server, it's included in the source-tree
|
|
in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
|
|
|
|
@example
|
|
include /usr/local/etc/openldap/schema/hdb.schema
|
|
@end example
|
|
|
|
@item
|
|
Configure the LDAP server ACLs to accept writes from clients over the
|
|
local transport. For example:
|
|
|
|
@example
|
|
access to *
|
|
by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
|
|
...
|
|
|
|
sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
|
|
"uid=heimdal,dc=services,dc=example,dc=com"
|
|
|
|
@end example
|
|
|
|
The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
|
|
a tree. The user that the key is mapped to should be have a
|
|
krb5Principal aux object with krb5PrincipalName set so that the
|
|
``creator'' and ``modifier'' is right in @file{kadmin}.
|
|
|
|
Another option is to create an admins group and add the dn to that
|
|
group.
|
|
|
|
Since Heimdal talks to the LDAP server over a UNIX domain socket, and
|
|
uses external sasl authentication, it's not possible to require
|
|
security layer quality (ssf in cyrus-sasl lingo). So that requirement
|
|
has to be turned off in OpenLDAP @command{slapd} configuration file
|
|
@file{slapd.conf}.
|
|
|
|
@example
|
|
sasl-secprops minssf=0
|
|
@end example
|
|
|
|
@item
|
|
|
|
Start @command{slapd} with the local listener (as well as the default TCP/IP
|
|
listener on port 389) as follows:
|
|
|
|
@example
|
|
slapd -h "ldapi:/// ldap:///"
|
|
@end example
|
|
|
|
Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
|
|
binary attribute on shutdown. This may be related to our use of the V3
|
|
schema definition syntax instead of the old UMich-style, V2 syntax.
|
|
|
|
@item
|
|
You should specify the distinguished name under which your
|
|
principals will be stored in @file{krb5.conf}. Also you need to
|
|
enter the path to the kadmin acl file:
|
|
|
|
|
|
@example
|
|
[kdc]
|
|
database = @{
|
|
dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
|
|
hdb-ldap-structural-object = inetOrgPerson
|
|
acl_file = /path/to/kadmind.acl
|
|
mkey_file = /path/to/mkey
|
|
@}
|
|
@end example
|
|
|
|
@samp{mkey_file} can be excluded if you feel that you trust your ldap
|
|
directory to have the raw keys inside it. The
|
|
hdb-ldap-structural-object is not necessary if you do not need Samba
|
|
comatibility.
|
|
|
|
|
|
|
|
@item
|
|
Once you have built Heimdal and started the LDAP server, run kadmin
|
|
(as usual) to initialise the database. Note that the instructions for
|
|
stashing a master key are as per any Heimdal installation.
|
|
|
|
@example
|
|
kdc# kadmin -l
|
|
kadmin> init EXAMPLE.COM
|
|
Realm max ticket life [unlimited]:
|
|
Realm max renewable ticket life [unlimited]:
|
|
kadmin> ank lukeh
|
|
Max ticket life [1 day]:
|
|
Max renewable life [1 week]:
|
|
Principal expiration time [never]:
|
|
Password expiration time [never]:
|
|
Attributes []:
|
|
lukeh@@EXAMPLE.COM's Password:
|
|
Verifying password - lukeh@@EXAMPLE.COM's Password:
|
|
kadmin> exit
|
|
@end example
|
|
|
|
Verify that the principal database has indeed been stored in the
|
|
directory with the following command:
|
|
|
|
@example
|
|
kdc# ldapsearch -L -h localhost -D cn=manager \
|
|
-w secret -b ou=KerberosPrincipals,dc=example,dc=com \
|
|
'objectclass=krb5KDCEntry'
|
|
@end example
|
|
|
|
@item
|
|
Now consider adding indexes to the database to speed up the access, at
|
|
least theses should be added to slapd.conf.
|
|
|
|
@example
|
|
index objectClass eq
|
|
index cn eq,sub,pres
|
|
index uid eq,sub,pres
|
|
index displayName eq,sub,pres
|
|
index krb5PrincipalName eq
|
|
@end example
|
|
|
|
@end itemize
|
|
|
|
@subsection Troubleshooting guide
|
|
|
|
@url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
|
|
|
|
|
|
@subsection Using Samba LDAP password database
|
|
@cindex Samba
|
|
|
|
@c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
|
|
@c @section Using Samba LDAP password database
|
|
|
|
The Samba domain and the Kerberos realm can have different names since
|
|
arcfour's string to key functions principal/realm independent. So now
|
|
will be your first and only chance name your Kerberos realm without
|
|
needing to deal with old configuration files.
|
|
|
|
First, you should set up Samba and get that working with LDAP backend.
|
|
|
|
Now you can proceed as in @xref{Using LDAP to store the database}.
|
|
Heimdal will pick up the Samba LDAP entries if they are in the same
|
|
search space as the Kerberos entries.
|
|
|
|
@node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
|
|
@section Providing Kerberos credentials to servers and programs
|
|
|
|
Some services require Kerberos credentials when they start to make
|
|
connections to other services or need to use them when they have started.
|
|
|
|
The easiest way to get tickets for a service is to store the key in a
|
|
keytab. Both ktutil get and kadmin ext can be used to get a
|
|
keytab. ktutil get is better in that way it changes the key/password
|
|
for the user. This is also the problem with ktutil. If ktutil is used
|
|
for the same service principal on several hosts, they keytab will only
|
|
be useful on the last host. In that case, run the extract command on
|
|
one host and then securely copy the keytab around to all other hosts
|
|
that need it.
|
|
|
|
@example
|
|
host# ktutil -k /etc/krb5-service.keytab \
|
|
get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
|
|
lha/admin@@EXAMPLE.ORG's Password:
|
|
@end example
|
|
|
|
To get a Kerberos credential file for the service, use kinit in the
|
|
@kbd{--keytab} mode. This will not ask for a password but instead fetch the
|
|
key from the keytab.
|
|
|
|
@example
|
|
service@@host$ kinit --cache=/var/run/service_krb5_cache \
|
|
--keytab=/etc/krb5-service.keytab \
|
|
service-principal@@EXAMPLE.ORG
|
|
@end example
|
|
|
|
Long running services might need credentials longer then the
|
|
expiration time of the tickets. kinit can run in a mode that refreshes
|
|
the tickets before they expire. This is useful for services that write
|
|
into AFS and other distributed file systems using Kerberos. To run the
|
|
long running script, just append the program and arguments (if any)
|
|
after the principal. kinit will stop refreshing credentials and remove
|
|
the credentials when the script-to-start-service exits.
|
|
|
|
@example
|
|
service@@host$ kinit --cache=/var/run/service_krb5_cache \
|
|
--keytab=/etc/krb5-service.keytab \
|
|
service-principal@@EXAMPLE.ORG \
|
|
script-to-start-service argument1 argument2
|
|
@end example
|
|
|
|
|
|
@node Setting up PK-INIT, , Providing Kerberos credentials to servers and programs, Setting up a realm
|
|
@section Setting up PK-INIT
|
|
|
|
PK-INIT is levering the existing PKI infrastructure to use
|
|
certificates to get the initial ticket, that is usually the krbtgt.
|
|
|
|
To use PK-INIT you must first have a PKI, so if you don't have one,
|
|
it is time to create it. Note that you should read the whole chapter
|
|
of the document to see the requirements on the CA software.
|
|
|
|
There needs to exist a mapping between the certificate and what
|
|
principals that certificate is allowed to use. There are several ways
|
|
to do this. The administrator can use a configuration file, storing
|
|
the principal in the SubjectAltName extension of the certificate, or store the
|
|
mapping in the principals entry in the kerberos database.
|
|
|
|
@section Certificates
|
|
|
|
This section documents the requirements on the KDC and client
|
|
certificates and the format used in the id-pkinit-san OtherName
|
|
extention.
|
|
|
|
@subsection KDC certificate
|
|
|
|
The certificate for the KDC have serveral requirements.
|
|
|
|
First the certificate should have an Extended Key Usage (EKU)
|
|
id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second there must be a
|
|
subjectAltName otherName using oid id-pkinit-san (1.3.6.1.5.2.2) in
|
|
the type field and a DER encoded KRB5PrincipalName that matches the
|
|
name of the TGS of the target realm.
|
|
|
|
Both of these two requirements are not required by the standard to be
|
|
checked by the client if it have external information what the
|
|
certificate the KDC is supposed to be used. So it's in the interest of
|
|
minimum amount of configuration on the clients they should be included.
|
|
|
|
Remember that if the client would accept any certificate as the KDC's
|
|
certificate, the client could be fooled into trusting something that
|
|
isn't a KDC and thus expose the user to giving away information (like
|
|
password or other private information) that it is supposed to secret.
|
|
|
|
Also, if the certificate has a nameConstraints extention with a
|
|
Generalname with dNSName or iPAdress it must match the hostname or
|
|
adress of the KDC.
|
|
|
|
@subsection Client certificate
|
|
|
|
The client certificate may need to have a EKU id-pkekuoid
|
|
(1.3.6.1.5.2.3.4) set depending on the certifiate on the KDC.
|
|
|
|
It possible to store the principal (if allowed by the KDC) in the
|
|
certificate and thus delegate responsibility to do the mapping between
|
|
certificates and principals to the CA.
|
|
|
|
@subsubsection Using KRB5PrincipalName in id-pkinit-san
|
|
|
|
OtherName extention in the GeneralName is used to do the
|
|
mapping between certifiate and principal in the certifiate or storing
|
|
the krbtgt principal in the KDC certificate.
|
|
|
|
The principal is stored in a SubjectAltName in the certificate using
|
|
OtherName. The oid in the type is id-pkinit-san.
|
|
|
|
@example
|
|
id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
|
|
internet (1) security (5) kerberosv5 (2) 2 @}
|
|
@end example
|
|
|
|
The data part of the OtherName is filled with the following DER
|
|
encoded ASN.1 structure:
|
|
|
|
@example
|
|
KRB5PrincipalName ::= SEQUENCE @{
|
|
realm [0] Realm,
|
|
principalName [1] PrincipalName
|
|
@}
|
|
@end example
|
|
|
|
where Realm and PrincipalName is defined by the Kerberos ASN.1 specification.
|
|
|
|
@section Naming certificate using hx509
|
|
|
|
hx509 is the X.509 software used in Heimdal to handle
|
|
certificates. hx509 uses different syntaxes to specify the different
|
|
formats the certificates are stored in and what formats they exist in.
|
|
|
|
There are several formats that can be used, PEM, embedded into PKCS12
|
|
files, embedded into PKCS11 devices and raw DER encoded certificates.
|
|
Below is a list of types to use.
|
|
|
|
|
|
@table @asis
|
|
|
|
@item DIR:
|
|
|
|
DIR is reading all certificates in a directory that is DER or PEM
|
|
formatted.
|
|
|
|
The main feature of DIR is that the directory is read on demand when
|
|
iterating over certificates, that way applictions can for some cases
|
|
avoid to store all certificates in memory. It's very useful for tests
|
|
that iterate over larger amount of certificates.
|
|
|
|
Syntax is:
|
|
|
|
@example
|
|
DIR:/path/to/der/files
|
|
@end example
|
|
|
|
@item FILE:
|
|
|
|
FILE: is used to have the lib pick up a certificate chain and a
|
|
private key. The file can be either a PEM (openssl) file or a raw DER
|
|
encoded certificate. If it's a PEM file it can contain several keys and
|
|
certificates and the code will try to match the private key and
|
|
certificate together.
|
|
|
|
Its useful to have one PEM file that contains all the trust anchors.
|
|
|
|
Syntax is:
|
|
|
|
@example
|
|
FILE:certificate.pem,private-key.key,other-cert.pem,....
|
|
@end example
|
|
|
|
@item PKCS11:
|
|
|
|
PKCS11: is used to handle smartcards via PKCS11 drivers, for example
|
|
soft-token, opensc, or muscle. The default is to use all slots on the
|
|
device/token.
|
|
|
|
Syntax is:
|
|
|
|
@example
|
|
PKCS11:shared-object.so
|
|
@end example
|
|
|
|
@item PKCS12:
|
|
|
|
PKCS12: is used to handle PKCS12 files. PKCS12 files commonly have the
|
|
extension pfx or p12.
|
|
|
|
Syntax is:
|
|
|
|
@example
|
|
PKCS12:/path/to/file.pfx
|
|
@end example
|
|
|
|
@end table
|
|
|
|
@section Configure the Kerberos software
|
|
|
|
First configure the client's trust anchors and what parameters to
|
|
verify, see subsection below how to do that. Now you can use kinit to
|
|
get yourself tickets. One example how that can look like is:
|
|
|
|
@example
|
|
$ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
|
|
Enter your private key passphrase:
|
|
: lha@@nutcracker ; klist
|
|
Credentials cache: FILE:/tmp/krb5cc_19100a
|
|
Principal: lha@@EXAMPLE.ORG
|
|
|
|
Issued Expires Principal
|
|
Apr 20 02:08:08 Apr 20 12:08:08 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
|
|
@end example
|
|
|
|
Using PKCS11 it can look like this instead:
|
|
|
|
@example
|
|
$ kinit -C PKCS11:/tmp/pkcs11/lib/soft-pkcs11.so lha@@EXAMPLE.ORG
|
|
PIN code for SoftToken (slot):
|
|
$ klist
|
|
Credentials cache: API:4
|
|
Principal: lha@@EXAMPLE.ORG
|
|
|
|
Issued Expires Principal
|
|
Mar 26 23:40:10 Mar 27 09:40:10 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
|
|
@end example
|
|
|
|
|
|
Write about the kdc.
|
|
|
|
@section Configure the client
|
|
|
|
@example
|
|
[appdefaults]
|
|
pkinit_anchors = FILE:/path/to/trust-anchors.pem
|
|
|
|
[realms]
|
|
EXAMPLE.COM = @{
|
|
pkinit_require_eku = true
|
|
pkinit_require_krbtgt_otherName = true
|
|
pkinit_win2k = no
|
|
pkinit_win2k_require_binding = yes
|
|
@}
|
|
|
|
@end example
|
|
|
|
@section Configure the KDC
|
|
|
|
@example
|
|
[kdc]
|
|
enable-pkinit = yes
|
|
pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
|
|
pkinit_anchors = FILE:/path/to/trust-anchors.pem
|
|
pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
|
|
pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
|
|
pkinit_allow_proxy_certificate = false
|
|
pkinit_win2k_require_binding = yes
|
|
@end example
|
|
|
|
@subsection Using pki-mapping file
|
|
|
|
Note that the file name is space sensitive.
|
|
|
|
@example
|
|
# cat /var/heimdal/pki-mapping
|
|
# comments starts with #
|
|
lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
|
|
lha@@EXAMPLE.ORG:CN=Love,UID=lha
|
|
@end example
|
|
|
|
@subsection Using the Kerberos database
|
|
|
|
@section Use hxtool to create certificates
|
|
|
|
@subsection Generate certificates
|
|
|
|
First you need to generate a CA certificate, change the --subject to
|
|
something appropriate, the CA certificate will be valid for 10 years.
|
|
|
|
You need to change --subject in the command below.
|
|
|
|
@example
|
|
hxtool issue-certificate \
|
|
--self-signed \
|
|
--issue-ca \
|
|
--generate-key=rsa \
|
|
--subject="CN=CA,DC=test,DC=h5l,DC=se" \
|
|
--lifetime=10years \
|
|
--certificate="FILE:ca.pem"
|
|
@end example
|
|
|
|
The KDC needs to have a certificate, so generate a certificate of the
|
|
type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
|
|
name of the krbtgt of the realm.
|
|
|
|
You need to change --subject and --pk-init-principal in the command below.
|
|
|
|
@example
|
|
hxtool issue-certificate \
|
|
--ca-certificate=FILE:ca.pem \
|
|
--generate-key=rsa \
|
|
--type="pkinit-kdc" \
|
|
--pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
|
|
--subject="uid=kdc,DC=test,DC=h5l,DC=se" \
|
|
--certificate="FILE:kdc.pem"
|
|
@end example
|
|
|
|
The users also needs to have a certificate, so generate a certificate
|
|
of the type ``pkinit-client''. The client doesn't need to have the PK-INIT
|
|
SubjectAltName set, you can have the Subject DN in the ACL file
|
|
(pki-mapping) instead.
|
|
|
|
You need to change --subject and --pk-init-principal in the command below.
|
|
|
|
@example
|
|
hxtool issue-certificate \
|
|
--ca-certificate=FILE:ca.pem \
|
|
--generate-key=rsa \
|
|
--type="pkinit-client" \
|
|
--pk-init-principal="lha@@TEST.H5L.SE" \
|
|
--subject="uid=lha,DC=test,DC=h5l,DC=se" \
|
|
--certificate="FILE:user.pem"
|
|
@end example
|
|
|
|
@subsection Validate the certificate
|
|
|
|
hxtool also contains a tool that will validate certificates according to
|
|
rules from the PKIX document. These checks are not complete, but a good test
|
|
to check if you got all of the basic bits right in your certificates.
|
|
|
|
@example
|
|
hxtool validate FILE:user.pem
|
|
@end example
|
|
|
|
@section Use OpenSSL to create certificates
|
|
|
|
This section tries to give the CA owners hints how to create
|
|
certificates using OpenSSL (or CA software based on OpenSSL).
|
|
|
|
@subsection Using OpenSSL to create certificates with krb5PrincipalName
|
|
|
|
To make OpenSSL create certificates with krb5PrincipalName use
|
|
@file{openssl.cnf} as described below. To see a complete example of
|
|
creating client and KDC certificates, see the test-data generation
|
|
script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
|
|
certicates it creates are used to test the PK-INIT functionality in
|
|
@file{tests/kdc/check-kdc.in}.
|
|
|
|
To use this example you have to use OpenSSL 0.9.8a or later.
|
|
|
|
@example
|
|
|
|
[user_certificate]
|
|
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
|
|
|
|
[princ_name]
|
|
realm = EXP:0, GeneralString:MY.REALM
|
|
principal_name = EXP:1, SEQUENCE:principal_seq
|
|
|
|
[principal_seq]
|
|
name_type = EXP:0, INTEGER:1
|
|
name_string = EXP:1, SEQUENCE:principals
|
|
|
|
[principals]
|
|
princ1 = GeneralString:userid
|
|
|
|
@end example
|
|
|
|
Command usage
|
|
|
|
@example
|
|
openssl x509 -extensions user_certificate
|
|
openssl ca -extensions user_certificate
|
|
@end example
|
|
|
|
|
|
@c --- ms certificate
|
|
@c
|
|
@c [ new_oids ]
|
|
@c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
|
|
@c
|
|
@c
|
|
@c [ req_smartcard ]
|
|
@c keyUsage = digitalSignature, keyEncipherment
|
|
@c extendedKeyUsage = msSmartcardLogin, clientAuth
|
|
@c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
|
|
@c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
|
|
@c #subjectAltName = email:copy
|
|
|
|
|
|
@section Using PK-INIT with Windows
|
|
|
|
@subsection Client configration
|
|
|
|
Clients using a Windows KDC with PK-INIT need configuration since
|
|
windows uses pre-standard format and this can't be autodetected.
|
|
|
|
The pkinit_win2k_require_binding option requires the reply for the KDC
|
|
to be of the new, secure, type that binds the request to reply. Before
|
|
clients should fake the reply from the KDC. To use this option you
|
|
have to apply a fix from Microsoft.
|
|
|
|
@example
|
|
[realms]
|
|
MY.MS.REALM = @{
|
|
pkinit_win2k = yes
|
|
pkinit_win2k_require_binding = no
|
|
@}
|
|
@end example
|
|
|
|
@subsection Certificates
|
|
|
|
The client certificates need to have the extended keyusage ``Microsoft
|
|
Smartcardlogin'' (openssl have the oid shortname msSmartcardLogin).
|
|
|
|
See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
|
|
Smart Card Logon with Third-Party Certification Authorities'' for a
|
|
more extensive description of how set setup an external CA to it
|
|
includes all information that will make a Windows KDC happy.
|
|
|
|
@subsection Configure Windows 2000 CA
|
|
|
|
To enable Microsoft Smartcardlogin> for certificates in your Windows
|
|
2000 CA, you want to look at Microsoft Knowledge Base Article -
|
|
313274 ``HOW TO: Configure a Certification Authority to Issue
|
|
Smart Card Certificates in Windows''.
|