Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 105
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 11 - SECURITY:
- Installation (5 pages) ,
- Administration manual (452 pages)
Table of Contents
Advertisement
4 No graphical login is provided on this machine as an X server is a potential secu-
rity risk. Kerberos provides its own administration interface.
5 Configure /etc/nsswitch.conf to use only local files for user and group
lookup. Change the lines for passwd and group to look like this:
passwd:
group:
Edit the passwd, group, and shadow files in /etc and remove the lines that
start with a + character (these are for NIS lookups).
6 Disable all user accounts except root's account by editing /etc/shadow and
replacing the hashed passwords with * or ! characters.
6.4.4 Configuring Time Synchronization
To use Kerberos successfully, make sure that all system clocks within your organization
are synchronized within a certain range. This is important because Kerberos protects
against replayed credentials. An attacker might be able to observe Kerberos credentials
on the network and reuse them to attack the server. Kerberos employs several defenses
to prevent this. One of them is that it puts time stamps into its tickets. A server receiving
a ticket with a time stamp that differs from the current time rejects the ticket.
Kerberos allows a certain leeway when comparing time stamps. However, computer
clocks can be very inaccurate in keeping time—it is not unheard of for PC clocks to
lose or gain half an hour over the course of a week. For this reason, configure all hosts
on the network to synchronize their clocks with a central time source.
A simple way to do so is by installing an NTP time server on one machine and having
all clients synchronize their clocks with this server. Do this either by running an NTP
daemon in client mode on all these machines or by running ntpdate once a day from
all clients (this solution probably works for a small number of clients only). The KDC
itself needs to be synchronized to the common time source as well. Because running
an NTP daemon on this machine would be a security risk, it is probably a good idea to
do this by running ntpdate via a cron entry. To configure your machine as an NTP
client, proceed as outlined in Section "Configuring an NTP Client with YaST" (Chap-
ter 21, Time Synchronization with NTP, ↑Administration Guide).
files
files
Network Authentication with Kerberos
91
Advertisement
Table of Contents
Related Manuals for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
Related Products for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
- NOVELL LINUX ENTERPRISE DESKTOP 10 - IPRINT CLIENT
- NOVELL LINUX ENTERPRISE DESKTOP 11 - OPENOFFICE
- NOVELL LINUX ENTERPRISE SERVER 10 - STORAGE ADMINISTRATION GUIDE FOR EVMS
- NOVELL LINUX ENTERPRISE SERVER 11 - STORAGE ADMINISTRATION GUIDE 2-23-2010
- NOVELL LINUX ENTERPRISE SERVER 11 - DEPLOYMENT
- NOVELL LINUX ENTERPRISE SERVER 11 - VIRTUALIZATION
- NOVELL LINUX ENTERPRISE SERVER STARTER SYSTEM
- NOVELL LINUX ENTERPRISE DESKTOP 10
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - VIRTUALIZATION WITH XEN
- Novell eBook Reader
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE
- NOVELL LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE 17-03-2009
- Novell 3.6 05-2008
Need help?
Do you have a question about the LINUX ENTERPRISE SERVER 11 - SECURITY and is the answer not in the manual?