Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

Increasing Security on Kerberos Servers

This section provides advice about increasing security on Kerberos application servers and on KDC servers.

Restricting Access to KDC Servers

Both master KDC servers and slave KDC servers have copies of the KDC database stored locally. Restricting access to these servers so that the databases are secure is important to the overall security of the Kerberos installation.

  • Restrict physical access to the hardware that supports the KDC.

    Make sure that the KDC server and its monitor are located in a secure facility. Regular users should not be able to access this server in any way.

  • Store KDC database backups on local disks or on the KDC slaves.

    Make tape backups of your KDC only if the tapes are stored securely. Follow the same practice for copies of keytab files.

    Store these files on a local file system that is not shared with other systems. The storage file system can be on either the master KDC server or any of the slave KDCs.

Using a Dictionary File to Increase Password Security

A dictionary file can be used by the Kerberos service to prevent words in the dictionary from being used as passwords for new credentials. Preventing the use of dictionary words as passwords makes it harder for someone else to guess any password. By default, the /var/krb5/kadm5.dict file is used, but it is empty.

Add a line to the KDC configuration file, kdc.conf to instruct the service to use a dictionary file. In this example, the administrator uses the dictionary that is included with the spell utility, then restarts the Kerberos services. For a full description of the configuration file, see the kdc.conf(5) man page.

kdc1# pfedit /etc/krb5/kdc.conf
     kdc_ports = 88,750

     EXAMPLE.COM = {
        profile = /etc/krb5/krb5.conf
        database_name = /var/krb5/principal
        acl_file = /etc/krb5/kadm5.acl
        kadmind_port = 749
        max_life = 8h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        iprop_enable = true
        iprop_master_ulogsize = 1000
        dict_file = /usr/share/lib/dict/words
kdc1# svcadm restart -r network/security/krb5kdc
kdc1# svcadm restart -r network/security/kadmin