This section provides advice about increasing security on Kerberos application servers and on KDC servers.
Both master KDC servers and slave KDC servers have copies of the KDC database stored locally. Restricting access to these servers so that the databases are secure is important to the overall security of the Kerberos installation.
Restrict physical access to the hardware that supports the KDC.
Make sure that the KDC server and its monitor are located in a secure facility. Regular users should not be able to access this server in any way.
Store KDC database backups on local disks or on the KDC slaves.
Make tape backups of your KDC only if the tapes are stored securely. Follow the same practice for copies of keytab files.
Store these files on a local file system that is not shared with other systems. The storage file system can be on either the master KDC server or any of the slave KDCs.
A dictionary file can be used by the Kerberos service to prevent words in the dictionary from being used as passwords for new credentials. Preventing the use of dictionary words as passwords makes it harder for someone else to guess any password. By default, the /var/krb5/kadm5.dict file is used, but it is empty.
Add a line to the KDC configuration file, kdc.conf to instruct the service to use a dictionary file. In this example, the administrator uses the dictionary that is included with the spell utility, then restarts the Kerberos services. For a full description of the configuration file, use the man command to view the kdc.conf(4) man page.
kdc1# pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
EXAMPLE.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
iprop_enable = true
iprop_master_ulogsize = 1000
dict_file = /usr/share/lib/dict/words
}
kdc1#
kdc1# svcadm restart -r network/security/krb5kdc
kdc1# svcadm restart -r network/security/kadmin