JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

Configuring the Kerberos Service (Task Map)

Configuring Additional Kerberos Services (Task Map)

Configuring KDC Servers

How to Manually Configure a Master KDC

How to Configure a KDC to Use an LDAP Data Server

How to Manually Configure a Slave KDC

How to Refresh the Ticket Granting Service Keys on a Master Server

Configuring Cross-Realm Authentication

How to Establish Hierarchical Cross-Realm Authentication

How to Establish Direct Cross-Realm Authentication

Configuring Kerberos Network Application Servers

How to Configure a Kerberos Network Application Server

Configuring Kerberos NFS Servers

How to Configure Kerberos NFS Servers

How to Create a Credential Table

How to Add a Single Entry to the Credential Table

How to Provide Credential Mapping Between Realms

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Configuring Kerberos Clients

Configuring Kerberos Clients (Task Map)

How to Create a Kerberos Client Installation Profile

How to Automatically Configure a Kerberos Client

How to Interactively Configure a Kerberos Client

How to Manually Configure a Kerberos Client

How to Disable Verification of the Ticket Granting Ticket (TGT)

How to Access a Kerberos Protected NFS File System as the root User

How to Configure Automatic Migration of Users in a Kerberos Realm

Synchronizing Clocks Between KDCs and Kerberos Clients

Swapping a Master KDC and a Slave KDC

How to Configure a Swappable Slave KDC

How to Swap a Master KDC and a Slave KDC

Administering the Kerberos Database

Backing Up and Propagating the Kerberos Database

The kpropd.acl File

The kprop_script Command

How to Back Up the Kerberos Database

How to Restore the Kerberos Database

How to Convert a Kerberos Database After a Server Upgrade

How to Reconfigure a Master KDC to Use Incremental Propagation

How to Reconfigure a Slave KDC to Use Incremental Propagation

How to Configure a Slave KDC to Use Full Propagation

How to Verify That the KDC Servers Are Synchronized

How to Manually Propagate the Kerberos Database to the Slave KDCs

Setting Up Parallel Propagation

Configuration Steps for Setting Up Parallel Propagation

Administering the Stash File

How to Remove a Stash File

Managing a KDC on an LDAP Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

How to Destroy a Realm on an LDAP Directory Server

Increasing Security on Kerberos Servers

How to Enable Only Kerberized Applications

How to Restrict Access to KDC Servers

How to Use a Dictionary File to Increase Password Security

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

Increasing Security on Kerberos Servers

Follow these steps to increase security on Kerberos application servers and on KDC servers.

Table 23-4 Increasing Security on Kerberos Servers (Task Map)

Task
Description
For Instructions
Enabling access using Kerberos authentication
Restrict network access to a server to allow Kerberos authentication only
Restricting access to the KDC servers
Increases the security of the KDC servers and their data.
Increasing password security by using a dictionary file
Increases the security of any new passwords by checking the new password against a dictionary.

How to Enable Only Kerberized Applications

This procedure restricts network access to the server that is running telnet, ftp, rcp, rsh, and rlogin to use Kerberos authenticated transactions only.

  1. Change the exec property for the telnet service.

    Add the -a user option to the exec property for telnet to restrict access to those users who can provide valid authentication information.

    # inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user"
  2. (Optional) If not already configured, change the exec property for the telnet service.

    Add the -a option to the exec property for ftp to permit only Kerberos authenticated connections.

    # inetadm -m svc:/network/ftp:default exec="/usr/sbin/in.ftpd -a"
  3. Disable other services.

    The in.rshd and in.rlogind daemons should be disabled.

    # svcadm disable network/shell
    # svcadm disable network/login:rlogin

How to Restrict Access to KDC Servers

Both master KDC servers and slave KDC servers have copies of the KDC database stored locally. Restricting access to these servers so that the databases are secure is important to the overall security of the Kerberos installation.

  1. Disable remote services, as needed.

    To provide a secure KDC server, all nonessential network services should be disabled . Depending on your configuration, some of these services may already be disabled. Check the service status with the svcs command. In most circumstances, the only services that would need to run would be krb5kdc and kadmin if the KDC is a master. In addition, any services that use loopback tli (ticlts, ticotsord, and ticots) can be left enabled.

    # svcadm disable network/comsat
    # svcadm disable network/dtspc/tcp
    # svcadm disable network/finger
    # svcadm disable network/login:rlogin
    # svcadm disable network/rexec
    # svcadm disable network/shell
    # svcadm disable network/talk
    # svcadm disable network/tname
    # svcadm disable network/uucp
    # svcadm disable network/rpc_100068_2-5/rpc_udp
  2. Restrict access to the hardware that supports the KDC.

    To restrict physical access, make sure that the KDC server and its monitor are located in a secure facility. Users should not be able to access this server in any way.

  3. Store KDC database backups on local disks or on the KDC slaves.

    Make tape backups of your KDC only if the tapes are stored securely. Follow the same practice for copies of keytab files. It would be best to store these files on a local file system that is not shared with other systems. The storage file system can be on either the master KDC server or any of the slave KDCs.

How to Use a Dictionary File to Increase Password Security

A dictionary file can be used by the Kerberos service to prevent words in the dictionary from being used as passwords when creating new credentials. Preventing the use of dictionary terms as passwords makes it harder for someone else to guess any password. By default the /var/krb5/kadm5.dict file is used, but it is empty.

  1. Become superuser on the master KDC.
  2. Edit the KDC configuration file (kdc.conf).

    You need add a line to instruct the service to use a dictionary file. In this example, the dictionary that is included with the spell utility is used. See the kdc.conf(4) man page for a full description of the configuration file.

    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_master_ulogsize = 1000
                    dict_file = /usr/share/lib/dict/words
                    }
  3. Restart the Kerberos daemons.
    kdc1 # svcadm restart -r network/security/krb5kdc
    kdc1 # svcadm restart -r network/security/kadmin