Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Creating the Kerberos Database
Chapter 6 193
• kadmin/<REALM NAME>@<REALM NAME>
• kcpwd/<REALM NAME>@<REALM NAME>
• krbtgt/<REALM NAME>@<REALM NAME>
IMPORTANT The principals mentioned above should NOT be deleted.
The K/M keyname is the default master-key-name. However, the
master-key-name can be changed by specifying the tag when using the
-M mkeyname option in kdb_create command.
The stash file is a local copy of the master key that resides in an
encrypted format on the primary security server’s local disk. This stash
file is usually located in the same directory as the Kerberos database. By
default the kdb_create does not create a stash file. A stash file allows
the database utilities, such as kadmind, kadminl, kdcd et all, to
authenticate themselves.
Occasionally, however, the machine on which the KDC runs may have to
be restarted, and if a stash file is present, the KDC can be configured to
start automatically without any human interaction whenever the
machine is rebooted. The stash file, like the keytab file is a potential
point-of-entry for a break-in, and if compromised, would allow
unrestricted access to the Kerberos database. For more information on
the keytab file refer to, “Service Key Table (v5srvtab)” on page 210.
Database Encryption
The Kerberos Security Server supports two encryption types:
• Data Encryption Standard (DES)
• Security-Enhanced Triple Data Encryption Standard (3DES)
The encryption type selected during database creation determines the
encryption type applied to the master password, which, in turn, is used
to create the key that secures all records stored in the principal
database.