Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Replacing the Ticket-Granting Service Keys on a Master Server

Note -  Replace the keys when you want to use a new, stronger encryption type for all session keys.

When the ticket-granting service (TGS) principal only has a DES key, the key restricts the encryption type of the ticket-granting ticket (TGT) session key to DES. When the KDC is updated to a release that supports stronger encryption types, you must replace the DES key of the TGS principal so that the principal can generate stronger encryption for all session keys.

    You can replace the key remotely or on the master server. You must be an admin principal who is assigned the changepw privilege.

  • To replace the TGS service principal key from any Kerberos system, use the kadmin command.

    kdc1 % /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Enter TGS key: xxxxxxxx
    Enter new TGS key:/** Type strong password **/
    Re-enter TGS key to verify: xxxxxxxx

    cpw is an alias for the change_password command. The –randkey option prompts you for the new password.

  • If you are logged on to the KDC master as root, you can use the kadmin.local command. You are prompted for the new database password.

    kdc1 # kadmin.local -q 'cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM'

Note -  Save and store this password in a safe location.