Administering the Kerberos Server

Kerberos Database Utilities

Adding principals to database...

Cleaning up....

shell%

The kdb_create command creates the following principals:

K/M@<REALM NAME>

This is the default key name. However, you can configure this key name.

default@<REALM NAME>

kadmin/<REALM NAME>@<REALM NAME>

kcpwd/<REALM NAME>@<REALM NAME>

krbtgt/<REALM NAME>@<REALM NAME>

IMPORTANT

Do not delete these principals.

 

 

The K/M keyname is the default master key name. However, you can change the master key name by specifying the tag while using the -M mkeyname option in kdb_create command.

The stash file is a local copy of the master key that resides on the local disk of the primary security server in an encrypted format. This stash file is usually located in the same directory as the Kerberos database. By default, kdb_create does not create a stash file. A stash file allows the database utilities, such as kadmind, kadminl, kdcd and others, to authenticate themselves.

Occasionally, however, you may have to restart the machine on which the KDC runs, and if a stash file is present, you can configure KDC to start automatically without any human intervention whenever the machine is rebooted. The stash file, like the keytab file, is a potential point-of-entry for a break-in, and if compromised, allows unrestricted access to the Kerberos database. For more information, see “Service Key Table” on page 244.

Database Encryption

The Kerberos server supports the following encryption types:

DES3

Chapter 8

227

Page 227
Image 227
HP UX Kerberos Data Security Software manual Database Encryption