Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

Kerberos Password and Ticket Management

Kerberos is a single sign-on environment, which means that you type your password only once when using network applications. Kerberos authentication and encryption is built into each of a suite of existing, familiar network applications. The Kerberos V5 applications are versions of existing UNIX network applications with Kerberos features added.

Administrative Responsibilities for Kerberos Password and Ticket Management

The administrator configures Kerberos to handle user passwords and tickets.

  • In Oracle Solaris, Kerberos is built into the login command.

    If the administrator configures the PAM service for the applicable login services, users can obtain tickets automatically. For more information, see the pam_krb5(7) man page.

  • If the administrator configures the ssh command to forward copies of user tickets to the other hosts, then users do not have to explicitly ask for tickets to get access to those hosts.

    For security reasons, the administrator might prevent ticket forwarding. For more information, see the discussion about agent forwarding in the ssh(1) man page.

User Responsibilities for Kerberos Ticket Management

Typically, Kerberos creates a ticket for you when you log in, so you need not do anything special to obtain a ticket.

    User responsibilities for Kerberos tickets include the following:

  • Create a ticket if your ticket expires.

    The kinit command prompts you for a password, then creates the ticket.

  • Create a ticket for a different principal.

    When you use a different principal besides your default principal, you might need to create a ticket. For example, you might use the ssh -l command to log in to a host as another user.

  • Create a ticket for a new host when your tickets are not forwarded.

    If the administrator configures the ssh command to forward copies of your tickets to the other hosts, then you do not have to explicitly ask for tickets to get access to those hosts. For security reasons, the administrator might prevent ticket forwarding. For more information, see the discussion about agent forwarding in the ssh(1) man page.

  • List the properties of your ticket, such as whether it can be forwarded or is invalid.

    Not all tickets are alike. For example, one ticket might be forwardable, another ticket might be postdated, and a third ticket might be both forwardable and postdated. You can list the properties of your tickets with the klist -f command.

  • Destroy your tickets at the end of a session.

    The kdestroy command destroys your credential cache, which destroys all your credentials and tickets. While this destruction is not usually necessary, running kdestroy reduces the chance of the credential cache being compromised during times that you are not logged in.

    If you are going to be away from your system, you should either use the kdestroy command or lock the screen with a screen saver.

For more information, see the MIT Kerberos User Commands Documentation (http://web.mit.edu/kerberos/krb5-1.14/doc/user/user_commands/index.html).

User Responsibilities for Kerberos Password Management

In a Kerberos environment, you have two passwords: the regular Oracle Solaris UNIX password and a Kerberos password. You can make both passwords the same, or they can be different.


Note -  The behavior of the passwd command depends on how the PAM module is configured. The administrator might require users to change both passwords. For some sites, the UNIX password must be changed, while other sites require the Kerberos password to change.

    If PAM is properly configured, you can change your Kerberos password in two ways.

  • Use the passwd command. With the Kerberos service configured, the passwd command also automatically prompts for a new Kerberos password.

    By using the passwd command, you can set both your UNIX and Kerberos passwords at the same time. You can also change only one password and leave the other password untouched.

  • Use the kpasswd command. kpasswd changes only Kerberos passwords. You must use passwd if you want to change your UNIX password.

    A primary use for kpasswd is to change a password for a Kerberos principal that is not a valid UNIX user. For example, jdoe/admin is a Kerberos principal but not an actual UNIX user, so you must use kpasswd to change the password.

For more information, see the MIT Kerberos User Commands Documentation.

After you change your password, the password must propagate through the network. The size of the Kerberos network affects the time that is required for the propagation.


Tip  - If you need new Kerberos tickets shortly after you change your password, try the new password first. If the new password doesn't work, try again using the old password.

Kerberos policy defines the criteria for passwords. The administrator configures the policy. Password character classes are lowercase, uppercase, numbers, punctuation, and all other characters.