Administration

Creating the Kerberos Database

kadmin/<REALM NAME>@<REALM NAME>

kcpwd/<REALM NAME>@<REALM NAME>

krbtgt/<REALM NAME>@<REALM NAME>

IMPORTANT The principals mentioned above should NOT be deleted.

The K/M keyname is the default master-key-name. However, the master-key-name can be changed by specifying the tag when using the -M mkeyname option in kdb_create command.

The stash file is a local copy of the master key that resides in an encrypted format on the primary security server’s local disk. This stash file is usually located in the same directory as the Kerberos database. By default the kdb_create does not create a stash file. A stash file allows the database utilities, such as kadmind, kadminl, kdcd et all, to authenticate themselves.

Occasionally, however, the machine on which the KDC runs may have to be restarted, and if a stash file is present, the KDC can be configured to start automatically without any human interaction whenever the machine is rebooted. The stash file, like the keytab file is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. For more information on the keytab file refer to, “Service Key Table (v5srvtab)” on page 210.

Database Encryption

The Kerberos Security Server supports two encryption types:

Data Encryption Standard (DES)

Security-Enhanced Triple Data Encryption Standard (3DES)

The encryption type selected during database creation determines the encryption type applied to the master password, which, in turn, is used to create the key that secures all records stored in the principal database.

Chapter 6

193