Setting Up The Kdc Hardware - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

It is also a good idea to use your DNS domain name (or a subdomain, such as
ACCOUNTING.EXAMPLE.COM). As shown below, your life as an administrator can
be much easier if you configure your Kerberos clients to locate the KDC and other
Kerberos services via DNS. To do so, it is helpful if your realm name is a subdomain
of your DNS domain name.
Unlike the DNS name space, Kerberos is not hierarchical. You cannot set up a realm
named EXAMPLE.COM, have two "subrealms" named DEVELOPMENT and
ACCOUNTING underneath it, and expect the two subordinate realms to somehow inherit
principals from EXAMPLE.COM. Instead, you would have three separate realms for
which you would have to configure crossrealm authentication for users from one realm
to interact with servers or other users from another realm.
For the sake of simplicity, assume you are setting up just one realm for your entire or-
ganization. For the remainder of this section, the realm name EXAMPLE.COM is used
in all examples.

6.4.3 Setting Up the KDC Hardware

The first thing required to use Kerberos is a machine that acts as the key distribution
center, or KDC for short. This machine holds the entire Kerberos user database with
passwords and all information.
The KDC is the most important part of your security infrastructure—if someone breaks
into it, all user accounts and all of your infrastructure protected by Kerberos is compro-
mised. An attacker with access to the Kerberos database can impersonate any principal
in the database. Tighten security for this machine as much as possible:
1 Put the server machine into a physically secured location, such as a locked server
2 Do not run any network applications on it except the KDC. This includes servers
3 Install a minimal system first then check the list of installed packages and remove
90 Security Guide
room to which only a very few people have access.
and clients—for example, the KDC should not import any file systems via NFS
or use DHCP to retrieve its network configuration.
any unneeded packages. This includes servers, such as inetd, portmap, and cups,
as well as anything X-based. Even installing an SSH server should be considered
a potential security risk.