asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

Trace:

Differences

This shows you the differences between the selected revision and the current version of the page.

--- docs:security:kerberos 2005/10/23 15:18
+++ docs:security:kerberos 2008/10/03 08:25 current
@@ Line 1: / Line 1: @@
+======MIT Implementation======
+=====Enctypes=====
+kdc logs use decimal value to refer encrypt types
+//Extract from kr5b.conf//
+<code>
+/* per Kerberos v5 protocol spec */
+#define ENCTYPE_NULL            0x0000
+#define ENCTYPE_DES_CBC_CRC     0x0001  /* DES cbc mode with CRC-32 */
+#define ENCTYPE_DES_CBC_MD4     0x0002  /* DES cbc mode with RSA-MD4 */
+#define ENCTYPE_DES_CBC_MD5     0x0003  /* DES cbc mode with RSA-MD5 */
+#define ENCTYPE_DES_CBC_RAW     0x0004  /* DES cbc mode raw */
+/* XXX deprecated? */
+#define ENCTYPE_DES3_CBC_SHA    0x0005  /* DES-3 cbc mode with NIST-SHA */
+#define ENCTYPE_DES3_CBC_RAW    0x0006  /* DES-3 cbc mode raw */
+#define ENCTYPE_DES_HMAC_SHA1   0x0008
+#define ENCTYPE_DES3_CBC_SHA1   0x0010
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
+#define ENCTYPE_ARCFOUR_HMAC    0x0017
+#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
+#define ENCTYPE_UNKNOWN         0x01ff
+/* local crud */
+/* marc's DES-3 with 32-bit length */
+#define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
+</code>
 ======Debian Installation======
@@ Line 15: / Line 44: @@
 //Initial ACL /etc/krb5kdc/kadm5.acl//
 <code>
-*/admi@DEBIAN-FR.ORG   *
+*/admin@DEBIAN-FR.ORG   *
 </code>
+This is the minimal ACL file you **MUST** have in order to login locally (with kadmin.local) and
+add another principals.
 //Create the kadmin principal//
 <code>
 # kadmin.local
+Authenticating as principal root/admin@DEBIAN-FR.ORG with password.
+kadmin.local:  addprinc asyd/admin@DEBIAN-FR.ORG
+WARNING: no policy specified for asyd/admin@DEBIAN-FR.ORG; defaulting to no policy
+Enter password for principal "asyd/admin@DEBIAN-FR.ORG":
+Re-enter password for principal "asyd/admin@DEBIAN-FR.ORG":
+Principal "asyd/admin@DEBIAN-FR.ORG" created.
+</code>
+//Create the minial keytab//
+<code>
+# kadmin.local
+kadmin.local:  ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
+Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
+</code>
+//Check for stash file: If you don't have /etc/krb5kdc/stash, just simple run//
+<code>
+# kdb5_util stash -f /etc/krb5kdc/stash
+</code>
+//Optional: enable logging, add the following lines to /etc/krb5.conf//
+<code>
+[logging]
+        kdc = FILE:/var/log/krb/kdc.log
+        admin_server = FILE:/var/log/krb/admin.log
 </code>