Administering the Kerberos Server

 

Extracting Service Keys

 

If you change the default name and location to a different name and

 

location than the programs of the Kerberos server, you must edit the

 

settings to indicate the new location of the service key table file.

Step

8. Select the Generate New Random Key before Extracting option. HP

 

recommends that you select this option for increased security because it

 

generates a new random key before the principal and key are extracted

 

to the service key table.

Step

9. Click OK to extract the principal and its key to the service key table. If a

 

service key table file does not exist in the selected directory, a new file is

 

created. You cannot create a service key if the selected directory does not

 

exist.

 

Consider the following points while extracting principal keys to the

 

service key table:

HP recommends that you re-extract all the service keys once a month, thereby changing the keys and reducing the risk of compromise to the keys.

If the host system contains more than one service principal account, extract the service key for each principal individually.

The extracted key is appended to an existing service key table file. If the extracted key has the same principal name as an existing table entry, the old key is overwritten with the new extracted key.

Extracting a random key may modify the salt types of the principal whose key is being extracted. This is a normal side effect of generating a random key because a random key implies a salt type of v5 (none).

Chapter 8

179

Page 179
Image 179
HP UX Kerberos Data Security Software manual