Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 675 — #701
i
i
i
i
i
i
i
i
26
Security in the Network
The naming convention for host principals is
host/<hostname>@<REALM>, where hostname is the host’s fully
qualified host name. Host principals are similar to user principals, but have
significant differences. The main difference between a user principal and
a host principal is that the key of the former is protected by a password
— when a user obtains a ticket-granting ticket from the KDC, he needs to
type his password so Kerberos can decrypt the ticket. Obviously, it would
be quite inconvenient for the system administrator if he had to obtain new
tickets for the SSH daemon every eight hours or so.
Instead, the key required to decrypt the initial ticket for the host principal
is extracted by the administrator from the KDC once and stored in a local
file called the keytab. Services such the SSH daemon read this key and use
it to obtain new tickets automatically when needed. The default keytab file
resides in /etc/krb5.keytab.
To create a host principal for machine.sample.com, enter the following
commands during your kadmin session:
kinit newbie/admin
newbie/admin@SAMPLE.COM’s Password: <type password>
kadmin add -r host/machine.sample.com
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Instead of setting a password for the new principal, the -r flag tells kadmin
to generate a random key. This is used here because no user interaction is
wanted for this principal. It is a server account for the machine.
Finally, extract the key and store it in the local keytab file /etc/krb5.
keytab. This file is owned by the superuser, so you must be root to ex-
ecute the next command:
ktutil get host/machine.sample.com
When completed, make sure you destroy the admin ticket obtained via kinit
above with kdestroy.
675
SUSE LINUX Enterprise Server