Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
691692693694695696697698699700
“main” (Installation and Administration) 2004/6/25 13:29 page 665 #691
i
i
i
i
i
i
i
i
26
Security in the Network
26.6.2 Setting up the KDC Hardware
The first thing required to use Kerberos is a machine that will act as the
key distribution center, or KDC for short. This machine holds the entire
Kerberos user database with passwords and all information.
The KDC is the most important part of your security infrastructure — if
someone breaks into it, all user accounts and all of your infrastructure pro-
tected by Kerberos is compromised. An attacker with access to the Ker-
beros database can impersonate any principal in the database. Tighten se-
curity for this machine as much as possible:
Put the server machine into a physically secured location, such as a
locked server room to which only a very few people have access.
Do not run any network applications on it except the KDC. This in-
cludes servers and clients — for instance, the KDC should not import
any file systems via NFS or use DHCP to retrieve its network configu-
ration.
It is probably a good approach to install a minimal system first then
check the list of installed packages and remove any unneeded pack-
ages. This includes servers, such as inetd, portmap, and cups, as well
as anything X-based. Even installing an SSH server should be consid-
ered a potential security risk.
No graphical login is provided on this machine as an X server is a
potential security risk. Kerberos provides its own administration in-
terface.
Configure /etc/nsswitch.conf to use only local files for user and
group lookup. Change the lines for passwd and group to look like
this:
passwd: files
group: files
Edit the passwd, group, shadow, and gshadow files in /etc/
and remove the lines that start with a + character (these are for NIS
lookups).
Also consider disabling DNS lookups, because there is a potential
risk involved. If there is a security bug in the DNS resolver library,
an attacker might be able to trick the KDC into performing a DNS
query that triggers this bug. To disable DNS lookups, simply remove
/etc/resolv.conf.
665SUSE LINUX Enterprise Server