Table of Contents
Advertisement
For the sake of simplicity, assume you are setting up just one realm for your entire or-
ganization. For the remainder of this section, the realm name EXAMPLE.COM is used
in all examples.
46.2 Setting Up the KDC Hardware
The first thing required to use Kerberos is a machine that acts as the key distribution
center, or KDC for short. This machine holds the entire Kerberos user database with
passwords and all information.
The KDC is the most important part of your security infrastructure—if someone breaks
into it, all user accounts and all of your infrastructure protected by Kerberos is compro-
mised. An attacker with access to the Kerberos database can impersonate any principal
in the database. Tighten security for this machine as much as possible:
1 Put the server machine into a physically secured location, such as a locked server
2 Do not run any network applications on it except the KDC. This includes servers
3 Install a minimal system first then check the list of installed packages and remove
4 No graphical login is provided on this machine as an X server is a potential secu-
5 Configure /etc/nsswitch.conf to use only local files for user and group
842
Installation and Administration
room to which only a very few people have access.
and clients—for example, the KDC should not import any file systems via NFS
or use DHCP to retrieve its network configuration.
any unneeded packages. This includes servers, such as inetd, portmap, and cups,
as well as anything X-based. Even installing an SSH server should be considered
a potential security risk.
rity risk. Kerberos provides its own administration interface.
lookup. Change the lines for passwd and group to look like this:
passwd:
files
group:
files
Edit the passwd, group, shadow, and gshadow files in /etc and remove
the lines that start with a + character (these are for NIS lookups).
Advertisement
Table of Contents
Troubleshooting
