Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 667 — #693
i
i
i
i
i
i
i
i
26
Security in the Network
Forwarding all log output via syslogd’s log forwarding mechanisms is not
recommended, because information traverses the network unencrypted.
26.6.5 Installing the KDC
This section covers the initial installation of the KDC, including creation of
an administrative principal.
Installing the RPMs
Before you can start, install the Kerberos software. On the KDC, install the
packages heimdal, heimdal-lib, and heimdal-tools with rpm -ivh
heimdal-*.rpm heimdal-lib-*.rpm heimdal-tools*.rpm.
Setting the Master Key
Your next step is to initialize the database where Kerberos keeps all infor-
mation about principals. First, set the database master key, which is used
to protect the database from accidental disclosure, in particular when it is
backed up to a tape. The master key is derived from a pass phrase and is
stored in a file called the stash file. This is so you do not need to type in the
password every time the KDC is restarted. Make sure you choose a good
pass phrase, such as a sentence from a book opened to a random page.
When you make tape backups of the Kerberos database (/var/heimdal/
heimdal.db), do not back up the stash file (which is in /var/heimdal/
m-key). Otherwise, everyone able to read the tape could also decrypt the
database. Therefore, it is also a good idea to keep a copy of the pass phrase
in a safe or some other secure location, because you will need it when
restoring your database from backup tape after a crash.
To set the master key, run kstash without arguments and enter the pass
phrase twice:
kstash
Master key:<enter pass phrase>
Verifying password - Master key:<enter pass phrase again>
667SUSE LINUX Enterprise Server