Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
691692693694695696697698699700
“main” (Installation and Administration) 2004/6/25 13:29 page 666 #692
i
i
i
i
i
i
i
i
Disable all user accounts except root’s account by editing /etc/
shadow and replacing the hashed passwords with * or ! characters.
26.6.3 Clock Synchronization
To use Kerberos successfully, make sure all system clocks within your or-
ganization are synchronized within a certain range. This is important be-
cause Kerberos protects against replayed credentials. An attacker might be
able to observe Kerberos credentials on the network and reuse them to at-
tack the server. Kerberos employs several defenses to prevent this. One of
them is that it puts time stamps into its tickets. A server receiving a ticket
with a time stamp that differs from the current time rejects the ticket.
Kerberos allows a certain leeway when comparing time stamps. However,
computer clocks can be very inaccurate in keeping time — it is not unheard
of for PC clocks to lose or gain half an hour over the course of a week. For
this reason, configure all hosts on the network to synchronize their clocks
with a central time source.
A simple way to do so is by installing an NTP time server on one machine
and having all clients synchronize their clocks with this server. Do this ei-
ther by running an NTP daemon in client mode on all these machines or
by running ntpdate once a day from all clients (this solution will prob-
ably work for a small number of clients only). The KDC itself needs to
be synchronized to the common time source as well. Because running an
NTP daemon on this machine would be a security risk, it is probably a
good idea to do this by running ntpdate via a cron entry. NTP configu-
ration itself is beyond the scope of this section. For more information, re-
fer to the NTP documentation included in your installed system under
/usr/share/doc/packages/xntp-doc/.
It is also possible to adjust the maximum deviation Kerberos allows when
checking time stamps. This value (called clock skew) can be set via the
krb5.conf file as described in Section 26.6.6 on page 672.
26.6.4 Log Configuration
By default, the Kerberos daemons running on the KDC host log informa-
tion to the syslog daemon. To keep an eye on what your KDC is doing,
process these log files regularly, scanning for unusual events or potential
problems. Either do this by running a log scanner script on the KDC host
itself or by copying these files from the KDC to another host with rsync.
666
26.6. Installing and Administering Kerberos