JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

Ways to Administer Kerberos Principals and Policies

SEAM Tool

Command-Line Equivalents of the SEAM Tool

The Only File Modified by the SEAM Tool

Print and Online Help Features of the SEAM Tool

Working With Large Lists in the SEAM Tool

How to Start the SEAM Tool

Administering Kerberos Principals

Administering Kerberos Principals (Task Map)

Automating the Creation of New Kerberos Principals

How to View the List of Kerberos Principals

How to View a Kerberos Principal's Attributes

How to Create a New Kerberos Principal

How to Duplicate a Kerberos Principal

How to Modify a Kerberos Principal

How to Delete a Kerberos Principal

How to Set Up Defaults for Creating New Kerberos Principals

How to Modify the Kerberos Administration Privileges

Administering Kerberos Policies

Administering Kerberos Policies (Task Map)

How to View the List of Kerberos Policies

How to View a Kerberos Policy's Attributes

How to Create a New Kerberos Policy

How to Duplicate a Kerberos Policy

How to Modify a Kerberos Policy

How to Delete a Kerberos Policy

SEAM Tool Reference

SEAM Tool Panel Descriptions

Using the SEAM Tool With Limited Kerberos Administration Privileges

Administering Keytab Files

Administering Keytab Files (Task Map)

How to Add a Kerberos Service Principal to a Keytab File

How to Remove a Service Principal From a Keytab File

How to Display the Keylist (Principals) in a Keytab File

How to Temporarily Disable Authentication for a Service on a Host

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Administering Keytab Files

Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.

A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

There is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.

Another command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.


Note - When you change a principal in a keytab file using the ktadd command in kadmin, a new key is generated and added to the keytab file.


Administering Keytab Files (Task Map)

Task
Description
For Instructions
Add a service principal to a keytab file.
Use the ktadd command of kadmin to add a service principal to a keytab file.
Remove a service principal from a keytab file.
Use the ktremove command of kadmin to remove a service from a keytab file.
Display the keylist (list of principals) in a keytab file.
Use the ktutil command to display the keylist in a keytab file.
Temporarily disable authentication for a service on a host.
This procedure is a quick way to temporarily disable authentication for a service on a host without requiring kadmin privileges.

Before you use ktutil to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location.

How to Add a Kerberos Service Principal to a Keytab File

  1. Make sure that the principal already exists in the Kerberos database.

    See How to View the List of Kerberos Principals for more information.

  2. Assume the root role on the host that needs a principal added to its keytab file.
  3. Start the kadmin command.
    # /usr/sbin/kadmin
  4. Add a principal to a keytab file by using the ktadd command.
    kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
    -e enctype

    Overrides the list of encryption types defined in the krb5.conf file.

    -k keytab

    Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

    -q

    Displays less verbose information.

    principal

    Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

    -glob principal-exp

    Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.

  5. Quit the kadmin command.
    kadmin: quit

Example 23-16 Adding a Service Principal to a Keytab File

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Remove a Service Principal From a Keytab File

  1. Assume the root role on the host with a service principal that must be removed from its keytab file.
  2. Start the kadmin command.
    # /usr/sbin/kadmin
  3. (Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.

    See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.

  4. Remove a principal from the keytab file by using the ktremove command.
    kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
    -k keytab

    Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

    -q

    Displays less verbose information.

    principal

    Specifies the principal to be removed from the keytab file.

    kvno

    Removes all entries for the specified principal whose key version number matches kvno.

    all

    Removes all entries for the specified principal.

    old

    Removes all entries for the specified principal, except those principals with the highest key version number.

  5. Quit the kadmin command.
    kadmin: quit

Example 23-17 Removing a Service Principal From a Keytab File

In the following example, denver's host principal is removed from denver's keytab file.

denver # /usr/sbin/kadmin
kadmin: ktremove host/denver.example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3
  removed from keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Display the Keylist (Principals) in a Keytab File

  1. Assume the root role on the host with the keytab file.

    Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.


  2. Start the ktutil command.
    # /usr/bin/ktutil
  3. Read the keytab file into the keylist buffer by using the read_kt command.
    ktutil: read_kt keytab
  4. Display the keylist buffer by using the list command.
    ktutil: list

    The current keylist buffer is displayed.

  5. Quit the ktutil command.
    ktutil: quit

Example 23-18 Displaying the Keylist (Principals) in a Keytab File

The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.

denver # /usr/bin/ktutil
    ktutil: read_kt /etc/krb5/krb5.keytab
    ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
   1    5 host/denver@EXAMPLE.COM
    ktutil: quit

How to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.


Note - By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service.


  1. Assume the root role on the host with the keytab file.

    Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.


  2. Save the current keytab file to a temporary file.
  3. Start the ktutil command.
    # /usr/bin/ktutil
  4. Read the keytab file into the keylist buffer by using the read_kt command.
    ktutil: read_kt keytab
  5. Display the keylist buffer by using the list command.
    ktutil: list

    The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

  6. To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
    ktutil: delete_entry slot-number

    Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.

  7. Write the keylist buffer to a new keytab file by using the write_kt command.
    ktutil: write_kt new-keytab
  8. Quit the ktutil command.
    ktutil: quit
  9. Move the new keytab file.
    # mv new-keytab keytab
  10. When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.

Example 23-19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@EXAMPLE.COM
   2    5 host/denver@EXAMPLE.COM
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@EXAMPLE.COM
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab