Kerberos Enhancements

These Kerberos enhancements are included in the Solaris 10 release. Several of the enhancements are new in prior Software Express releases.

• Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, and telnet. See the man pages for each command or daemon and the krb5_auth_rules(5) man page for more information.

• The Kerberos principal database can now be transferred by incremental update instead of transferring the entire database each time. Incremental propagation provides several advantages including the following:

  • Increased database consistencies across servers

  • The need for fewer resources, such as network and CPU resources

  • Much more timely propagation of updates

  • An automated method of propagation

• A new script helps automatically configure a Kerberos client. The script helps an administrator quickly and easily set up a Kerberos client. For procedures that use the new script, see Chapter 22, “Configuring the Kerberos Service (Tasks),” in the System Administration Guide: Security Services. See also the kclient(1M) man page for more information.

• Several new encryption types have been added to the Kerberos service. These new encryption types increase security and enhance compatibility with other Kerberos implementations that support these encryption types. All of the encryption types are documented in the mech(4) man page. See “Using Kerberos Encryption Types” in the System Administration Guide: Security Services for more information. The encryption types offer the following capabilities:

  • AES encryption type can be used for high-speed, high-security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework.

  • ARCFOUR-HMAC provides better compatibility with other Kerberos versions.

  • Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.

• The KDC software and kinit command now support the use of the TCP network protocol. This addition provides more robust operation and better interoperability with other Kerberos implementations. The KDC now “listens” on both the traditional UDP ports and on the TCP ports so that it can respond to requests that use either protocol. The kinit command first tries UDP when sending a request to the KDC. If a failure occurs, the kinit command then tries TCP.

• Support for IPv6 was added to the KDC software with kinit, klist, and kprop commands. Support for IPv6 addresses is provided by default. No configuration parameters need to change to enable this support.

• A new -e option has been added to several subcommands of the kadmin command. This new option allows for the selection of the encryption type when creating principals. See the kadmin(1M) man page for more information.

• Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. See the pam_krb5(5) man page for more information.

• Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings that use DNS lookups. This support reduces some of the steps that are needed to install a Kerberos client. The client is able to locate a KDC server by using DNS instead of reading a configuration file. See the krb5.conf(4) man page for more information.

• A new PAM module called pam_krb5_migrate has been introduced. The new module helps in the automatic migration of users to the local Kerberos realm if the users do not already have Kerberos accounts. See the pam_krb5_migrate(5) man page for more information.

• The ~/.k5login file can now be used with GSS applications, ftp and ssh. For more information, see the krb5_auth_rules(5) man page.

• The kproplog utility has been updated to display all attribute names per log entry. For more information, see the kproplog(1M) man page.

• A new configuration file option makes the strict Ticket Granting Ticket (TGT) verification feature optionally configurable on a per-realm basis. See the krb5.conf(4) man page for more information.

• Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from non-Solaris clients. See the kadmin(1M) man page for more information.

• The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcache/. The new location protects against replays if a system is rebooted. Performance enhancements were made to the rcache code. However, overall replay cache performance might be slower because of the use of persistent storage.

• The replay cache can now be configured to use file storage or memory-only storage. Refer to the krb5envvar(5) man page for more information about environment variables that can be configured for key table and credential cache types or locations.

• The GSS credential table is no longer necessary for the Kerberos GSS mechanism. For more information, see the gsscred(1M), gssd(1M), and gsscred.conf(4) man pages.

• The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1. This change added new options to the kinit command and new subcommands to the ktutil command. For more information, see the kinit(1) and the ktutil(1) man pages.

• The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1. The KDC now defaults to a btree-based database, which is more reliable than the current hash-based database. See the kdb5_util(1M) man page for more information. For Solaris 9 users, this change is new in the Solaris 9 12/03 release.